- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 5 Jan 2015 17:40:44 +0100
- To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 5:26 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > If we allow access to http data from https web applications, there will > be no way to make these guarantees to the user, which would make the web > much weaker as a whole. I don't necessarily disagree, but a) we already allow this to some extent (see "Mixed Content") so it's not the best carrot b) the server could still fetch data without an authenticated connection (see how Google was owned by the NSA) c) executables are not bound by these limitations and are currently leapfrogging the web on phones d) we are in fact planning on allowing tainted cross-scheme responses due to service workers and point a) above (for images, sound, video) It's a rather fragile setup that we have and I guess the question is whether the current setup is efficient in helping us getting towards near universal authenticated encryption or whether we should change a few variables. -- https://annevankesteren.nl/
Received on Monday, 5 January 2015 16:41:11 UTC