W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 08 Jan 2015 14:06:13 +0000
To: Jeffrey Yasskin <jyasskin@google.com>, Mark Watson <watsonm@netflix.com>
Cc: Chris Palmer <palmer@google.com>, Tim Berners-Lee <timbl@w3.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
Message-ID: <87k30x2wq2.fsf@alice.fifthhorseman.net>
On Mon 2015-01-05 22:08:47 +0000, Jeffrey Yasskin wrote:
> That sounds plausible too. So two options on the table so far are:
>
> * Use the passive-mixed-content treatment, the locked yellow triangle on
> https://support.google.com/chrome/answer/6098869.
> * Use the http treatment: the non-lock document on
> https://support.google.com/chrome/answer/6098869, subject to future changes
> per [Marking HTTP As Non-Secure].
>
> (I suppose the third option so far is "OMG Don't do this !!1!!1" :)

And the fourth option, as suggested multiple places in this discussion,
is to optimistically attempt https connections to the http subresources.
If they fail, they will fail no worse than an arbitrary network attack
against the cleartext resource.

If we're thinking about incentives to convert from to https, the
optimistic http->https conversion would give the legacy data sources an
additional incentive to convert.

          --dkg
Received on Thursday, 8 January 2015 14:06:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC