W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Tim Berners-Lee <timbl@w3.org>
Date: Mon, 5 Jan 2015 06:26:50 -0500
Cc: Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <343A8D89-55C2-422E-B7FF-F06E686EA690@w3.org>
To: Anne van Kesteren <annevk@annevk.nl>

On 2015-01 -05, at 05:34, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Mon, Jan 5, 2015 at 11:24 AM, Tim Berners-Lee <timbl@w3.org> wrote:
>> You are right of course.    I guess the requirement needs to be rewritten
>> more like:
>>> No script which works when served as http: within an http: web page should
>>> fail when instead served from https: within a https: web page
> Why are scripts special?

They are not.  Data is special

> Why do you think
>  x = new XMLHttpRequest
>  x.open("GET", "http://example/test")
>  x.send()
> should succeed whereas
>  <script src=http://example/test>
> should fail? (Assuming TLS for the surrounding context.) Both pose the
> same problem.

- The first is necessary to access arbitrary open data out there on the web.
Which a web app needs to do. 
The data sources out there are random and discovered at runtime.
The script displays them to the user (say on a map).  If the data is intercepted the user's map will lie to them but the interceptor is not able to take immediate control of the app.

- In the second, the set of scripts I want to use is small, finite, and not changing dynamically.
 I can always arrange for them  to be served from a secure site by just copying them.
To intercept a script gives you immediate total control of the app.
There is no massive network of scripts all linked to each other using http: 

You are a browser writer:  you distrust the network, and also the web app developer, and the user.
I am a web app developer, I need to be able to access any data.
I am happy to and indeed want to secure the scripts and HTML and CSS which are part of my app.
I am happy to secure access to data which I control and serve.
I need to be able to access legacy insecure data like the think Linked Open Data cloud (http://lod-cloud.net/).

If you don't allow web apps to access random HTTP data, then I have to make a native app.

When we introduce HTTP we made the URL system play with FTP URLs though there was a security problem that in FTP the mime type of the data is not known and there are all kinds of classic bugs and attacks possible.  But it was important to be able to point to the existing massive legacy of FTP archives to make the web complete.   Now we move to HTTPs we need to be able to still use HTTP as part of the web, link to it, and read it from a web app.

> -- 
> https://annevankesteren.nl/

Received on Monday, 5 January 2015 11:27:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC