W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 05 Jan 2015 17:55:24 +0000
Message-ID: <CAEeYn8jNmOL8J0KQ7A=-MDzutASwETmKR_-_cdGyhA6-JgChug@mail.gmail.com>
To: Tim Berners-Lee <timbl@w3.org>, Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Mon Jan 05 2015 at 3:26:59 AM Tim Berners-Lee <timbl@w3.org> wrote:

>
>
>  Data is special
>
> I am a web app developer, I need to be able to access any data.
> I am happy to and indeed want to secure the scripts and HTML and CSS which
> are part of my app.
> I am happy to secure access to data which I control and serve.
> I need to be able to access legacy insecure data like the think Linked
> Open Data cloud (http://lod-cloud.net/).
>
>
Are there particular obstacles to the providers of this data making it
available over HTTPS or other reasons why we should assume that, over time,
they will not do so?  Are the providers of this data actually making an
effort to make it usable in client-side web platform mashups?  (e.g.
setting CORS headers?)

I went to http://lod-cloud.net/, picked the first resource listed on the
home page and loaded the example resource (
http://data.linkededucation.org/resource/lak/conference/lak2013/paper/93) .
It is indeed not accessible over HTTPS, but neither does it return CORS
headers so would still require proxying or a native app for client-side
mashups.

It seems there is an educational outreach campaign needed to data providers
on best practices and necessary steps to enable their data to be used in
the web platform, so shouldn't that include making the data available over
HTTPS alongside setting an "Access-Control-Allow-Origin: *" header?

-Brad Hill
Received on Monday, 5 January 2015 17:55:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC