W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 5 Jan 2015 12:45:26 +0100
Message-ID: <CADnb78gJ47KNyGaOXh==5R17VPa0SZ2drKVoEAMiX-xhoUU7Kw@mail.gmail.com>
To: Tim Berners-Lee <timbl@w3.org>
Cc: Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 12:26 PM, Tim Berners-Lee <timbl@w3.org> wrote:
> They are not.  Data is special

Right. I think you could make your point more clear if rather than
talking about scripts (which could themselves create <script> elements
and such) you instead focused on the use case you care about, loading
some data from another origin.

There's already a problem with that today, it requires the other
origin to use CORS. If it does not have that you need to use a proxy
(or indeed a native app).

If you want to authenticate your application it requires the other
origin to support TLS (in addition to CORS). Again, you can use a
proxy to circumvent this (or indeed a native app).

Not having these restrictions in place enables all kinds of attacks
and classic bugs ;-)

Received on Monday, 5 January 2015 11:45:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC