W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 5 Jan 2015 09:39:26 -0800
Message-ID: <CABkgnnV=pr=BYNf91Yt6FgebW80-QQAE-N7yz31z=Cx3=9Bz0A@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: WebAppSec WG <public-webappsec@w3.org>
On 5 January 2015 at 09:24, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> Currently only for images and other "passive" or "optionally-blockable"
> [0] content, right?  This is a weakness that we're accepting, and which
> is typically indicated to the user (albeit in a way that most people
> don't understand), right?

Isn't it also the case that cross-origin images like that are
inaccessible to script?  Obviously, there is some information leakage
(timing, for instance), but rarely anything that could be actionable
and therefore exploitable.

> But carving out more exceptions for
> cleartext seems like a step in the wrong direction, because it
> effectively lowers the ceiling of what protections the web can provide
> to the user for the communications channels used.

I think that this is right; the provisions for cleartext already
introduce issues.  I would hope that the end goal is to slowly
eliminate those issues.  Hopefully by providing the right incentives
for the vast majority so that we can change the policy without
adversely affecting too many.

I observe that - over time - we do break small parts of the legacy web
in the name of making things more secure.  But it takes careful
consideration.
Received on Monday, 5 January 2015 17:39:53 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC