Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do. from Brad Hill on 2015-01-05 (public-webappsec@w3.org from January 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 05 Jan 2015 23:53:32 +0000
To: Jeffrey Yasskin <jyasskin@google.com>
Cc: Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>, Chris Palmer <palmer@google.com>, Tim Berners-Lee <timbl@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8g-oomdoUz=yjY-6eQN9snEtx+PYqFQrTKg7G4k4h9ZNg@mail.gmail.com>

>
>
> A nit: The restriction of "Powerful Features" to HTTPS isn't primarily to
> encourage HTTPS adoption: it's because these features are potentially
> dangerous,
>

Yes, true.  The motivation to move to https is only a small facet of the
motivation there.

However - if in light of new requirements I had to choose solution spaces
between "Powerful Features" and possibly allowing users to grant something
like Geolocation permissions to an insecure app (perhaps with extra
warnings, in-context, at that point) vs. "Mixed-Content" and possibly
undermining or complicating the basic guarantees of HTTPS for all users and
all applications on the platform, I would still choose to work in the
"Powerful Features" solution space in a heartbeat.

The possible compromises and consequences in the "Mixed-Content" space
(outside of optimistic upgrade) all have much more collateral damage.

-Brad

Received on Monday, 5 January 2015 23:54:00 UTC