W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Fri, 2 Jan 2015 12:44:21 -0800
Message-ID: <CALx_OUBC_nU2ny6MR=cQWa5Y7hrGOF4S8ehPtZ0MywcQ7GEWOw@mail.gmail.com>
To: Tim Berners-Lee <timbl@w3.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> No script which works when served as http: should fail when instead served
> from https:

To make sure that we're all on the same page, it may be useful to draw
a line between two fairly distinct scenarios:

1) An HTTP origin attempting to load a script that is served over
HTTPS. As far as I can tell, in this case, the location from which the
script is served is essentially immaterial - and the JS code will be
not subject to any unusual constraints compared to any HTTP-delivered
counterparts.

2) An HTTPS origin attempting to load a script that is served over
HTTP. This is the scenario that the spec deals with and where browsers
pull off all the mixed content blocking tricks.

My initial reading of the proposed one-line addition to the spec
(specifically, the "served" part) made me assume that the concern at
the heart of this thread deals with the first use case. But in my
understanding, this is not something that browsers try to restrict
today, or that anyone aspires to (?).

On the flip side, some of the later discussion - in particular, the
two paragraphs starting with "This means that there is large class..."
- suggest that the concern may be with the second use case, and that
it would be preferable to go back to the old behavior where a HTTP
script loaded on a HTTPS page simply resulted in a warning icon or a
crossed-out "https://" string in the address bar.

If it's the latter, I think that the breakage of some subset of web
applications when migrated to HTTPS is a very valid worry that the
authors of the spec are acutely aware of.

Nevertheless, the big security concern with after-the-fact "tainted
origin" indicators is that by the time they are shown, an
unsafely-loaded and possibly attacker-modified script is already
running in the security context of the parent HTTPS page. Because the
creation of such scripts can happen at any point within an
already-running application, and their presence can't be determined on
the initial page load, it's very difficult to retroactively isolate
the "tainted" execution context and prevent it from accessing any
previously-entered secrets provided by the user with the assumption
that they will be safe against network-level attacks.

Of course, there are many other ways to compromise the security of
user data; but mixed content problems are extremely easy to introduce,
and have been a notorious problem across the web despite browsers
showing address bar warnings for more than a decade.

If passive indicators are dangerous, there is always the option of
giving users the choice to run unsafe scripts. That said, I'd posit
that it's extremely difficult to explain the implications and have the
users consistently make the right call.

/mz
Received on Friday, 2 January 2015 20:45:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC