- From: Richard Barnes <rbarnes@mozilla.com>
- Date: Tue, 25 Aug 2015 11:04:39 -0400
- To: Brian Smith <brian@briansmith.org>
- Cc: Tanvi Vyas <tvyas@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Received on Tuesday, 25 August 2015 15:05:12 UTC
On Tue, Aug 25, 2015 at 3:38 AM, Brian Smith <brian@briansmith.org> wrote: > Tanvi Vyas <tvyas@mozilla.com> wrote: > >> On Aug 24, 2015, at 11:24 PM, Brian Smith <brian@briansmith.org> wrote: >> >> Neither "priming" nor u-i-r are secure against an active MitM so websites >> cannot rely on them for security. Websites need to use https:// >> subresource links to actually be secure. >> >> >> How so? Neither priming or u-r-i has to make an HTTP request. The >> browser makes an HTTP request only when priming fails. >> > > The MitM can block the priming request/response. > In that case, you're just back in the state we're in today, with normal mixed content blocking. --Richard > > Cheers, > Brian > -- > https://briansmith.org/ > >
Received on Tuesday, 25 August 2015 15:05:12 UTC