W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Chris Palmer <palmer@google.com>
Date: Mon, 5 Jan 2015 11:52:38 -0800
Message-ID: <CAOuvq239_touTUTyLFZyRcmTL==L4v9a5FZkjfiGkDFohGABgQ@mail.gmail.com>
To: Jeffrey Yasskin <jyasskin@google.com>
Cc: Tim Berners-Lee <timbl@w3.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 10:24 AM, Jeffrey Yasskin <jyasskin@google.com> wrote:

> To get the discussion on the same page, I'd like to make the strawman
> proposal:
>
> The fetch() API should provide some flag that explicitly skips the
> mixed-content checks (https://fetch.spec.whatwg.org/#concept-fetch).
> Possibly this flag should only work when the environment's CSP is
> "sufficiently" restrictive. The Response object should expose its associated
> TLS state.
>
> The concerns about tampering with pure data that Daniel, Martin, and other
> have expressed are real, so I'm not sure I support my strawman, but I think
> it's at least plausible.
>
> My biggest question about this is "how do we communicate it to users?" HTTPS
> and the green lock icon currently mean that the connection is authenticated,
> has integrity, and is confidential. A fetch() that skips mixed-content is
> definitely not confidential, and probably doesn't have authentication or
> integrity. Is the current passive-mixed-content indicator enough for this?

We must start with the story about how we'll communicate it to users.
Without that, we go off the rails immediately.

And, I don't think we can really afford to add more nuance and
distinctions in the already-too-complicated security UX in browsers.
Received on Monday, 5 January 2015 19:53:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC