W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 5 Jan 2015 10:14:26 -0800
Message-ID: <CABkgnnXKtqGY1e6K_jziQ8TvxmHGxR4vs=CAMLy0=HB6as4=vQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, WebAppSec WG <public-webappsec@w3.org>
On 5 January 2015 at 09:54, Anne van Kesteren <annevk@annevk.nl> wrote:
> The user could be misled if the images are replaced or altered in
> transit. E.g. headlines done as images, an important news image, etc.
> Given how something simple as not securing clock synchronization can
> have drastic consequences (has this been patched yet?) I would be
> really suspect of any form of Mixed Content.

That's a position I think we're resigned to, isn't it?  I don't think
that it's great either, btw, but can tolerate it for now.

> (I hope nobody is too confused with me trying to argue both sides to
> tease out anything we're missing.)

I got that.
Received on Monday, 5 January 2015 18:14:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC