W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: [whatwg] Fetch, MSE, and MIX

From: Mark Watson <watsonm@netflix.com>
Date: Thu, 16 Apr 2015 07:47:02 -0700
Message-ID: <-2118205020578262430@unknownmsgid>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Martin Thomson <martin.thomson@gmail.com>, Aaron Colwell <acolwell@google.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Matthew Wolenetz <wolenetz@google.com>, WHATWG <whatwg@whatwg.org>, Domenic Denicola <d@domenic.me>, Ryan Sleevi <sleevi@google.com>, "public-html-media@w3.org" <public-html-media@w3.org>
> On Apr 15, 2015, at 9:37 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>
> On Wed, Apr 15, 2015 at 6:45 PM, Martin Thomson
> <martin.thomson@gmail.com> wrote:
>> I believe that the easiest way to avoid this is to make an attempt to
>> read Response.body raise a SecurityError if the origin is different
>> (in Firefox terms, we would say "if the response principal is not
>> subsumed by the script principal").
>
> The proposal is that .body returns an opaque stream object that you
> cannot read from, but privileged code can. But yes, same general idea
> as the SOP dances elsewhere.
>
> Having said all this, it has come to my attention that Netflix had a
> change of heart

Anne,

I hope you would concede that this was not simply a 'change of heart'.
We created and shared a new technology (kernel
encryption) which makes HTTPS viable for us at our scale. We did it
much faster than we predicted 6 months ago, not because it was easy
but because we put some very talented people on the problem.

... Mark

> so maybe we do not want to put effort into this new
> Mixed Content API? It could still be useful for
> same-scheme-cross-origin-"no-cors" of course, but nobody has asked for
> that.
>
>
> --
> https://annevankesteren.nl/
Received on Thursday, 16 April 2015 14:47:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC