W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 5 Jan 2015 12:45:26 +0100
Message-ID: <CADnb78gJ47KNyGaOXh==5R17VPa0SZ2drKVoEAMiX-xhoUU7Kw@mail.gmail.com>
To: Tim Berners-Lee <timbl@w3.org>
Cc: Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 12:26 PM, Tim Berners-Lee <timbl@w3.org> wrote:
> They are not.  Data is special

Right. I think you could make your point more clear if rather than
talking about scripts (which could themselves create <script> elements
and such) you instead focused on the use case you care about, loading
some data from another origin.

There's already a problem with that today, it requires the other
origin to use CORS. If it does not have that you need to use a proxy
(or indeed a native app).

If you want to authenticate your application it requires the other
origin to support TLS (in addition to CORS). Again, you can use a
proxy to circumvent this (or indeed a native app).

Not having these restrictions in place enables all kinds of attacks
and classic bugs ;-)


-- 
https://annevankesteren.nl/
Received on Monday, 5 January 2015 11:45:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC