Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do. from Jeffrey Yasskin on 2015-01-05 (public-webappsec@w3.org from January 2015)

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Mon, 5 Jan 2015 15:35:23 -0800
To: Brad Hill <hillbrad@gmail.com>
Cc: Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>, Chris Palmer <palmer@google.com>, Tim Berners-Lee <timbl@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CANh-dX=Cn5B=rmud2NKogNDEDDY6+K+hnVZnTHwtxVZdfzOeBQ@mail.gmail.com>

On Mon, Jan 5, 2015 at 3:25 PM, Brad Hill <hillbrad@gmail.com> wrote:
>
> The only thing I can think of is that we are starting to make "Powerful
> Features" of the Web Platform only available to secure applications.   And
> this is a deliberate choice to encourage HTTPS adoption.  We do not want to
> break legacy applications, but we want to set the expectation that if you
> are doing maintenance on your application to add support for new platform
> features, the first feature you need to add is a secure transport.
>

A nit: The restriction of "Powerful Features" to HTTPS isn't primarily to
encourage HTTPS adoption: it's because these features are potentially
dangerous, and we want users to grant that dangerous capability to a
particular name (the origin), not that name *and* their ISP *and* the rest
of the network their packets traverse. There's a secondary benefit that it
encourages HTTPS adoption, but that's not the reason that's been convincing
people it's the right thing to do.

Otherwise, thanks for the clarification of the space.

Jeffrey

Received on Monday, 5 January 2015 23:36:10 UTC