W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 5 Jan 2015 11:34:59 +0100
Message-ID: <CADnb78i3EeBLsEQgWy35ykgqrxGuLzcuq9SrGf0J8u8_7jVb3Q@mail.gmail.com>
To: Tim Berners-Lee <timbl@w3.org>
Cc: Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 11:24 AM, Tim Berners-Lee <timbl@w3.org> wrote:
> You are right of course.    I guess the requirement needs to be rewritten
> more like:
>
>> No script which works when served as http: within an http: web page should
>> fail when instead served from https: within a https: web page

Why are scripts special? Why do you think

  x = new XMLHttpRequest
  x.open("GET", "http://example/test")
  x.send()

should succeed whereas

  <script src=http://example/test>

should fail? (Assuming TLS for the surrounding context.) Both pose the
same problem.


-- 
https://annevankesteren.nl/
Received on Monday, 5 January 2015 10:35:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC