W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Mon, 05 Jan 2015 13:00:46 -0500
Message-ID: <54AAD14E.4000501@mit.edu>
To: public-webappsec@w3.org
On 1/5/15 11:26 AM, Daniel Kahn Gillmor wrote:
> this sounds buggy and prone to breakage.

Yes, I fully agree.  To be clear, I think making this sort of exception 
here is a bad idea from a security standpoint.  We've seen real-life 
security bugs due to things like the branching condition bit you describe.

I just think that allowing unfettered access to non-https XHR from an 
https page is an even worse idea.  ;)

-Boris
Received on Monday, 5 January 2015 18:01:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC