W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 5 Jan 2015 17:40:44 +0100
Message-ID: <CADnb78hjiHjvzbaxTx+cTi=mxUOzGZDHpLjRQpe_DFCDt1nx=A@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 5:26 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> If we allow access to http data from https web applications, there will
> be no way to make these guarantees to the user, which would make the web
> much weaker as a whole.

I don't necessarily disagree, but

a) we already allow this to some extent (see "Mixed Content") so it's
not the best carrot

b) the server could still fetch data without an authenticated
connection (see how Google was owned by the NSA)

c) executables are not bound by these limitations and are currently
leapfrogging the web on phones

d) we are in fact planning on allowing tainted cross-scheme responses
due to service workers and point a) above (for images, sound, video)

It's a rather fragile setup that we have and I guess the question is
whether the current setup is efficient in helping us getting towards
near universal authenticated encryption or whether we should change a
few variables.

Received on Monday, 5 January 2015 16:41:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC