W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Chris Palmer <palmer@google.com>
Date: Mon, 5 Jan 2015 16:00:15 -0800
Message-ID: <CAOuvq23=PKK6ZQzgMCu8Q63iCOCnFw_ZA3Sy92PrvcQvmMaGXw@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>, Jeffrey Yasskin <jyasskin@google.com>, Tim Berners-Lee <timbl@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 3:06 PM, Brad Hill <hillbrad@gmail.com> wrote:

>> FWIW, if all the resources retrieved over HTTP were protected with
>> sub-resource-integrity, then I think you have lost only some confidentiality
>> and you still have integrity and authenticity.
>
> Unfortunately, it is worth very little.  The motivating use case here is the
> the ability to pull in arbitrary open data for use in mashups, so the
> application cannot reasonably know in advance a secure digest value of the
> content and any plausibly secure way to provide this metadata assumes much
> more competence and effort on the part of the data providers than merely
> offering the same resources over https.

Furthermore, the client cannot programmatically distinguish
OpenDataMashup.com from UnsafeEmailReader.com.
Received on Tuesday, 6 January 2015 00:00:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC