W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Mon, 5 Jan 2015 15:35:23 -0800
Message-ID: <CANh-dX=Cn5B=rmud2NKogNDEDDY6+K+hnVZnTHwtxVZdfzOeBQ@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>, Chris Palmer <palmer@google.com>, Tim Berners-Lee <timbl@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 3:25 PM, Brad Hill <hillbrad@gmail.com> wrote:
>
> The only thing I can think of is that we are starting to make "Powerful
> Features" of the Web Platform only available to secure applications.   And
> this is a deliberate choice to encourage HTTPS adoption.  We do not want to
> break legacy applications, but we want to set the expectation that if you
> are doing maintenance on your application to add support for new platform
> features, the first feature you need to add is a secure transport.
>

A nit: The restriction of "Powerful Features" to HTTPS isn't primarily to
encourage HTTPS adoption: it's because these features are potentially
dangerous, and we want users to grant that dangerous capability to a
particular name (the origin), not that name *and* their ISP *and* the rest
of the network their packets traverse. There's a secondary benefit that it
encourages HTTPS adoption, but that's not the reason that's been convincing
people it's the right thing to do.

Otherwise, thanks for the clarification of the space.

Jeffrey
Received on Monday, 5 January 2015 23:36:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC