W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Mathias Bynens <mathiasb@opera.com>
Date: Mon, 5 Jan 2015 12:38:46 +0100
Cc: Anne van Kesteren <annevk@annevk.nl>, Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <F74E9975-B34A-4604-8DBF-8B00C5F297CE@opera.com>
To: Tim Berners-Lee <timbl@w3.org>
On 5 Jan 2015, at 12:26, Tim Berners-Lee <timbl@w3.org> wrote:

> On 2015-01 -05, at 05:34, Anne van Kesteren <annevk@annevk.nl> wrote:
> 
>> Why do you think
>> 
>> x = new XMLHttpRequest
>> x.open("GET", "http://example/test")
>> x.send()
>> 
>> should succeed whereas
>> 
>> <script src=http://example/test>
>> 
>> should fail? (Assuming TLS for the surrounding context.) Both pose the
>> same problem.
> 
> - The first is necessary to access arbitrary open data out there on the web.
> Which a web app needs to do. 
> The data sources out there are random and discovered at runtime.
> The script displays them to the user (say on a map).  If the data is intercepted the user's map will lie to them but the interceptor is not able to take immediate control of the app.

That becomes possible if the host page does something like `eval(response)`, which many pages still do.
Received on Monday, 5 January 2015 11:39:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC