W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Jim Manico <jim.manico@owasp.org>
Date: Fri, 02 Jan 2015 12:17:03 -1000
Message-ID: <54A718DF.3000602@owasp.org>
To: public-webappsec@w3.org, brad Hill <hillbrad@gmail.com>, timbl@w3.org
Tim,

I missed something in my response. Brad said that if you start from a 
HTTP page, /*and change nothing but loading one script internally from 
http to https*/, nothing can break. Brad was explicitly NOT talking 
about upgrading the document to HTTPS, only the link from which the 
script in retrieved, which is what your proposed requirement referenced.

So indeed, Brads comments still stand.

Thank you,
Jim

PS: I meant _*Sir*__*Berners-Lee*_, I forgot you were knighted by the 
queen. :)

***


From: Jim Manico <jim.manico@owasp.org>
Date: Fri, 2 Jan 2015 11:21:22 -1000
Message-ID: <6224839210151045073@unknownmsgid>
To: Brad Hill <hillbrad@gmail.com>
Cc: Tim Berners-Lee <timbl@w3.org>, "public-webappsec@w3.org" 
<public-webappsec@w3.org>
Regarding:

<script src=http://example.com/scripts/doStuff.js>
that link can ALWAYS be changed to:
<script src=https://example.com/scripts/doStuff.js>
and nothing will break

This does not seem true to me, Brad. If my script has hard-coded HTTP links
for resource retrieval and I disable HTTP or redirect to HTTPS in certain
ways, those scripts will sometimes break. I ran into this •last week•.

Never doubt the power of a crazy developer. :)

Respectfully,
--
Jim Manico
@Manicode
(808) 652-3805

On Jan 2, 2015, at 11:16 AM, Brad Hill <hillbrad@gmail.com> wrote:

<script src=http://example.com/scripts/doStuff.js>

that link can ALWAYS be changed to:

<script src=https://example.com/scripts/doStuff.js>

and nothing will b
Received on Friday, 2 January 2015 22:17:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC