Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do. from Chris Palmer on 2015-01-06 (public-webappsec@w3.org from January 2015)

From: Chris Palmer <palmer@google.com>
Date: Mon, 5 Jan 2015 16:11:41 -0800
To: Brad Hill <hillbrad@gmail.com>
Cc: Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>, Jeffrey Yasskin <jyasskin@google.com>, Tim Berners-Lee <timbl@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOuvq23fPP4Vmq3BOU-wGOS1Vb-NdiAesu8nBZw30OkN+5DZaA@mail.gmail.com>

On Mon, Jan 5, 2015 at 3:25 PM, Brad Hill <hillbrad@gmail.com> wrote:

> The only thing I can think of is that we are starting to make "Powerful
> Features" of the Web Platform only available to secure applications.   And
> this is a deliberate choice to encourage HTTPS adoption.

It is likely to encourage HTTPS adoption, but that is not the primary
motivation for requiring secure transport for powerful features. The
primary motivation is simply to keep the power from becoming outright
ridiculous danger.

http://www.w3.org/TR/powerful-features/#intro

"""As the Web platform is extended to enable more useful and powerful
applications, it becomes increasingly important to ensure that the
features which enable those applications are enabled only in contexts
which meet a minimum security bar. This document outlines threat
models for feature abuse on the Web and outline normative requirements
which should be incorporated into documents specifying new
features."""

Although that point is tangential to this thread, I do want to clarify
that the [POWER] spec is not carrot-and-stick-ism, but
basic-safety-ism.

> Perhaps the 3rd party open data example demonstrates that this is not a
> reasonable incentive, because the actors who wish to create new applications
> with powerful features are not empowered, regardless of their incentives, to
> make the data they rely on available over secure channels.

Well, https://OpenDataMashup.com could proxy
http://legacy-data-source.com, or statically mirror it, making the
application appear secure to the client.

That's a nasty hack, but the operators of OpenDataMashup.com are
empowered to do that.

It's better to fix legacy-data-source.com, though. Yes, that's tough
to do; but this is a web of people depending on each other, not a web
of consequence-free fun-times. If OpenDataMashup.com mashes up the
train schedule with my tablet's camera feed*, yeah there's going to
have to be some engineering work and some discussion with the
operators of the train schedule site.

* Or whatever powerful feature you like

Received on Tuesday, 6 January 2015 00:12:12 UTC