Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do. from Mathias Bynens on 2015-01-05 (public-webappsec@w3.org from January 2015)

From: Mathias Bynens <mathiasb@opera.com>
Date: Mon, 5 Jan 2015 12:38:46 +0100
To: Tim Berners-Lee <timbl@w3.org>
Cc: Anne van Kesteren <annevk@annevk.nl>, Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <F74E9975-B34A-4604-8DBF-8B00C5F297CE@opera.com>

On 5 Jan 2015, at 12:26, Tim Berners-Lee <timbl@w3.org> wrote:

> On 2015-01 -05, at 05:34, Anne van Kesteren <annevk@annevk.nl> wrote:
> 
>> Why do you think
>> 
>> x = new XMLHttpRequest
>> x.open("GET", "http://example/test")
>> x.send()
>> 
>> should succeed whereas
>> 
>> <script src=http://example/test>
>> 
>> should fail? (Assuming TLS for the surrounding context.) Both pose the
>> same problem.
> 
> - The first is necessary to access arbitrary open data out there on the web.
> Which a web app needs to do. 
> The data sources out there are random and discovered at runtime.
> The script displays them to the user (say on a map).  If the data is intercepted the user's map will lie to them but the interceptor is not able to take immediate control of the app.

That becomes possible if the host page does something like `eval(response)`, which many pages still do.

Received on Monday, 5 January 2015 11:39:15 UTC