W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Comments on Mixed Content

From: Mike West <mkwst@google.com>
Date: Wed, 14 Jan 2015 07:51:01 +0100
Message-ID: <CAKXHy=czaZ4b_x_M=3bLES0DKicHu7_6NLNF7M0sQfULVhk+Cg@mail.gmail.com>
To: David Walp <David.Walp@microsoft.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Chris Palmer <palmer@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Thanks for your feedback, David! It sounds like we're getting closer!

On Wed, Jan 14, 2015 at 12:03 AM, David Walp <David.Walp@microsoft.com>
wrote:

> > I share Chris' skepticism of such wording. The NSA's infamous "SSL added
> and removed here" slide should make it quite clear that intranets are a)
> targets, and b) not as > secure as we'd all like them to be.
> >
> > Additionally, intranets are free to use insecure transport if they
> choose to. `http://intranet/` would not trigger mixed content warnings
> (and would also be clearly
> > insecure). If an intranet chooses to use secure transport, we should not
> reduce their expectations of security based simply upon hostname or IP
> address.
>
> Given that not all browser are able to distinguish between Intranet and
> Internet, unless we hear otherwise we will assume this specification is
> specific to the Internet environment.  OK?
>

Based on Chris' comments and my own, I would have expected the opposite
conclusion. :)

It's not clear to me what advantage we gain by allowing intranet resources
to be less secure than internet resources. Did neither of our arguments
appeal to you?


> > It's entirely possible that other implementations will need to rely on
> the plugin itself to do blocking (as Chrome and other UAs do with Flash and
> Incognito mode today).
>
> Because it is difficult (at least for us ) to understand what a plugin is
> doing, we have to rely on the plugin to do the right thing.  Our proposed
> tact would be users are responsible for the plugins installed and user
> agents should not be considered out of compliance because of user installed
> plugins. Sound OK?
>

I'd suggest that the spec should create requirements for plugin behavior,
just as the CSP spec does. It's likely that we won't be able to hit 100%
conformance, but we should be very clear about the direction we're pushing
towards.

Regarding the user agent's conformance, I'd suggest that it would be (for
example) Adobe's responsibility to provide a Flash plugin that meets the
spec's requirements, and we wouldn't ding IE for not meeting the
requirement.


> > I think the intent is fairly straightforward, but I'm happy to consider
> suggestions for a phrasing that would be less confusing.
>
> How about instead of "instead return a synthetically generated network
> error response" the wording "instead be treated as if a network or security
> error is returned."?
>

Sure. I'll look at the Fetch spec again and copy/paste whatever the current
wording for network error is.


> > On Thursday, December 11, 2014 4:09 AM, Anne van Kesteren
> annevankesteren@gmail.com
> >
> > WebSocket is its own stack. XMLHttpRequest however builds on the same
> stuff <img>, <script>, background-image, <link rel=icon>, sendBeacon(),
> etc. build on, Fetch. > They should have consistent handling of this stuff
> and it should be in the network layer. We also don't want that each new API
> we introduce that builds on Fetch, e.g.
> > fetch(), has to consider this and special case Mixed Content behavior.
> > That's just very bad layering.
>
> We think we are consistent between Websockets & XHR in our engine under
> development.  And we think our behavior is the same as Chrome.  Neither
> should throw an exception.
>

Ok. Then we'll need to ask the websocket folks to change their spec to stop
throwing; I'm fine with that as a solution for the same reasons that Anne
convinced me to be fine with not throwing for XHR.

Chrome's implementation might not match the spec here; I'll need to write
some tests to verify our behavior.


> > 7) Section 5.1, Example 5 - "even though the framed data URL was not".
> > We believe the text "even though the framed data URL was not" is
> incomplete.  Our opinion is that data URL should be treated the same as the
> web page that contains
> > the data URL.
>
> As a.com was loaded over a secure connection, the framed data URL
> inherited the secure context of its parent and hence loading from evil.com
> is blocked.  Make sense?
>

It's not clear that we're disagreeing about the conclusions here. :) Do you
still think the wording needs to be changed?

-mike


--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 14 January 2015 06:51:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC