W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Mon, 05 Jan 2015 07:39:10 -0500
Message-ID: <54AA85EE.2050905@mit.edu>
To: public-webappsec@w3.org
On 1/5/15 6:26 AM, Tim Berners-Lee wrote:
> - The first is necessary to access arbitrary open data out there on the web.

The problem is that it's somewhat common for pages to use dynamic script 
loaders which fetch script data via XMLHttpRequest and then execute it.

> If the data is intercepted the user's map will lie to them but the interceptor is not able to take immediate control of the app.

True, but if a script being loaded by a script loader is intercepted 
then the interceptor does in fact take immediate control of the app.

And the browser has no way to really tell these cases apart at the moment.

Resolving this problem is a must if we want to consider allowing XHR to 
http:// URLs from https:// contexts.  It may be viable to have a way to 
opt in to such XHRs explicitly on a per-load basis, with it being 
somehow clear that the page is expected to not trigger any script 
execution based on the returned data...

Received on Monday, 5 January 2015 12:39:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC