W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 5 Jan 2015 18:54:14 +0100
Message-ID: <CADnb78jYipqutHU5Zd-HZR7KdPod8i6DTyVEMhsAyShxXFs=8g@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, WebAppSec WG <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 6:39 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
> Isn't it also the case that cross-origin images like that are
> inaccessible to script?  Obviously, there is some information leakage
> (timing, for instance), but rarely anything that could be actionable
> and therefore exploitable.

The user could be misled if the images are replaced or altered in
transit. E.g. headlines done as images, an important news image, etc.
Given how something simple as not securing clock synchronization can
have drastic consequences (has this been patched yet?) I would be
really suspect of any form of Mixed Content.

(I hope nobody is too confused with me trying to argue both sides to
tease out anything we're missing.)

Received on Monday, 5 January 2015 17:54:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC