- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Mon, 5 Jan 2015 09:39:26 -0800
- To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On 5 January 2015 at 09:24, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > Currently only for images and other "passive" or "optionally-blockable" > [0] content, right? This is a weakness that we're accepting, and which > is typically indicated to the user (albeit in a way that most people > don't understand), right? Isn't it also the case that cross-origin images like that are inaccessible to script? Obviously, there is some information leakage (timing, for instance), but rarely anything that could be actionable and therefore exploitable. > But carving out more exceptions for > cleartext seems like a step in the wrong direction, because it > effectively lowers the ceiling of what protections the web can provide > to the user for the communications channels used. I think that this is right; the provisions for cleartext already introduce issues. I would hope that the end goal is to slowly eliminate those issues. Hopefully by providing the right incentives for the vast majority so that we can change the policy without adversely affecting too many. I observe that - over time - we do break small parts of the legacy web in the name of making things more secure. But it takes careful consideration.
Received on Monday, 5 January 2015 17:39:53 UTC