- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 26 Sep 2014 19:45:54 +0200
- To: Tanvi Vyas <tanvi@mozilla.com>
- Cc: Mike West <mkwst@google.com>, Ryan Sleevi <sleevi@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Fri, Sep 26, 2014 at 7:22 PM, Tanvi Vyas <tanvi@mozilla.com> wrote: > Regardless of how HSTS and mixed content interact, the problem Anne > describes can still exist on an http non-HSTS page. The http page can embed > <img src=http://hsts-target.example/ onload=visited() onerror=notvisited()> > and Mixed Content Blocker would never be invoked to prevent the http page > from discovering whether the user has visited the target page. The attack is not through mixed content and is not about whether or not HSTS is used on the attacker page. -- https://annevankesteren.nl/
Received on Friday, 26 September 2014 17:46:23 UTC