W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: yan <yan@mit.edu>
Date: Mon, 05 Jan 2015 09:33:16 -0800
Message-ID: <54AACADC.1000606@mit.edu>
To: Tim Berners-Lee <timbl@w3.org>, Brad Hill <hillbrad@gmail.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Brad Hill wrote:

> The edge cases introduced by this kind of optimistic upgrade may very
> well be fewer and less harmful than those introduced by allowing
> insecure content into secure contexts.  In fact, the EFF probably
> already has a good amount of data on exactly this from the HTTPS
> Everywhere extension.
>

Chiming in as I magically do whenever HTTPS Everywhere appears in
discussion, I am dubious that this would be a good idea. A significant
percentage of rules are *not* from an HTTP origin to the same origin
with HTTPS. However, in most cases this is just because the
same-origin-but-with-HTTPS doesn't support SSL (sites will often have a
cert for www* but not the bare domain), so it wouldn't cause any harm.

A dramatic example of where the HTTP and HTTPS sites are completely
semantically different: http://forbes.com vs https://forbes.com/.

I can ask EFF to produce this data more rigorously, but for now you can
get a rough estimate by randomly picking a page from
https://www.eff.org/https-everywhere/atlas/. Ex:
https://www.eff.org/https-everywhere/atlas/domains/rac.co.uk.html.

-Yan
ex-maintainer of https everywhere
Received on Monday, 5 January 2015 17:34:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC