Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

On Mon, Jan 5, 2015 at 3:06 PM, Brad Hill <hillbrad@gmail.com> wrote:

>> FWIW, if all the resources retrieved over HTTP were protected with
>> sub-resource-integrity, then I think you have lost only some confidentiality
>> and you still have integrity and authenticity.
>
> Unfortunately, it is worth very little.  The motivating use case here is the
> the ability to pull in arbitrary open data for use in mashups, so the
> application cannot reasonably know in advance a secure digest value of the
> content and any plausibly secure way to provide this metadata assumes much
> more competence and effort on the part of the data providers than merely
> offering the same resources over https.

Furthermore, the client cannot programmatically distinguish
OpenDataMashup.com from UnsafeEmailReader.com.

Received on Tuesday, 6 January 2015 00:00:42 UTC