W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 27 Sep 2014 13:14:28 +0200
Message-ID: <CADnb78i8PXkFg4Rep==V6gDoF5W5kjDXTZsMEWT_x-b2c8ZZ7g@mail.gmail.com>
To: Mathias Bynens <mathiasb@opera.com>
Cc: Ryan Sleevi <sleevi@google.com>, Tanvi Vyas <tanvi@mozilla.com>, Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Sat, Sep 27, 2014 at 12:36 PM, Mathias Bynens <mathiasb@opera.com> wrote:
> On Sat, Sep 27, 2014 at 9:54 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> I think I'm out of my depth, but why would this give access to the
>> contents of the target document?
>
> Anything that goes over HTTP (i.e. with no HSTS kicking in) can be
> sslstripped or otherwise inferfered with by a MitM attacker.

Sure, that bit I understand.


-- 
https://annevankesteren.nl/
Received on Saturday, 27 September 2014 11:14:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC