W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 05 Jan 2015 23:06:05 +0000
Message-ID: <CAEeYn8iLyk9HtLygtJG=FXMdfY3ci=X=zgTLGQATA5NrrKjuDg@mail.gmail.com>
To: Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>
Cc: Chris Palmer <palmer@google.com>, Jeffrey Yasskin <jyasskin@google.com>, Tim Berners-Lee <timbl@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
>> FWIW, if all the resources retrieved over HTTP were protected with
> sub-resource-integrity, then I think you have lost only some
> confidentiality and you still have ‚Äčintegrity and authenticity.
Unfortunately, it is worth very little.  The motivating use case here is
the the ability to pull in arbitrary open data for use in mashups, so the
application cannot reasonably know in advance a secure digest value of the
content and any plausibly secure way to provide this metadata assumes much
more competence and effort on the part of the data providers than merely
offering the same resources over https.
Received on Monday, 5 January 2015 23:06:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC