W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 02 Jan 2015 21:14:56 +0000
Message-ID: <CAEeYn8ibKVGyyTa=vqRWJrU5VGkGwQ-tB+_4G0KzBKWKWDnYOQ@mail.gmail.com>
To: Tim Berners-Lee <timbl@w3.org>, public-webappsec@w3.org
Tim,

Thanks for chiming in.  If I may endeavor to clarify a couple of things:


> I would like to introduce a requirement:
>
> *No script which works when served as http: should fail when instead
> served from https:*
>
>
There is a distinction here that the phrasing of this requirement misses -
between the behavior of a secure document context and the location from
which a script is served.

In the strict sense, this requirement as phrased above is already correct
and would not be changed by the proposed Mixed Content draft.  e.g. If I
load the insecure resource:

http://example.com/foo.html

and it contains the following markup:

<script src=http://example.com/scripts/doStuff.js>

that link can ALWAYS be changed to:

<script src=https://example.com/scripts/doStuff.js>

and nothing will break.

Also, if I load the secure resource:

https://example.com/foo.html

and it contains the following markup:

<script src=http://example.com/scripts/doStuff.js>

That script today will ALWAYS be blocked from loading by modern browsers,
for some years now.

So any script which today can be served over http and be allowed to execute
can be upgraded to https and continue to work.

The rest of your message seems to indicate you're not actually or
exclusively concerned with where/how a script is served, but with whether
secure document contexts can load insecure content.

There are many legitimate reasons to be concerned about introducing
insecure content into a page that has made some assertions to a user about
its security, as Michal has already pointed out in his reply.

If I might suggest a pivot here along the lines of the compatibility and
path forward you (and we all) desire, perhaps we ought to discuss the
possibility of automatic / optimistic upgrade from HTTP -> HTTPS for
requests issued from a secure document context.  So if you load a script
over https from a secure context, just auto-fixup all links to https.

We have always shied away from doing this in the past because there is no
formal guarantee that the resource at an URL with the http scheme is
semantically equivalent to one available at the "same" URL with the https
scheme.

Perhaps that shyness is worth revisiting today in light of the broad push
to move as much as possible to secure transports.  If resource authors
simply started serving the same content over https as they do today over
http, we could make vast improvements and avoid much of the pain
mixed-content blocking creates for such transitions today.

The edge cases introduced by this kind of optimistic upgrade may very well
be fewer and less harmful than those introduced by allowing insecure
content into secure contexts.  In fact, the EFF probably already has a good
amount of data on exactly this from the HTTPS Everywhere extension.

What do you think?

-Brad Hill
(chair, webappsec)
Received on Friday, 2 January 2015 21:15:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC