Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do. from Anne van Kesteren on 2015-01-05 (public-webappsec@w3.org from January 2015)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 5 Jan 2015 11:34:59 +0100
To: Tim Berners-Lee <timbl@w3.org>
Cc: Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CADnb78i3EeBLsEQgWy35ykgqrxGuLzcuq9SrGf0J8u8_7jVb3Q@mail.gmail.com>

On Mon, Jan 5, 2015 at 11:24 AM, Tim Berners-Lee <timbl@w3.org> wrote:
> You are right of course.    I guess the requirement needs to be rewritten
> more like:
>
>> No script which works when served as http: within an http: web page should
>> fail when instead served from https: within a https: web page

Why are scripts special? Why do you think

  x = new XMLHttpRequest
  x.open("GET", "http://example/test")
  x.send()

should succeed whereas

  <script src=http://example/test>

should fail? (Assuming TLS for the surrounding context.) Both pose the
same problem.


-- 
https://annevankesteren.nl/

Received on Monday, 5 January 2015 10:35:26 UTC