W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: Definition of secure origin in MIX and POWER

From: Jeffrey Walton <noloader@gmail.com>
Date: Thu, 9 Jul 2015 04:36:16 -0400
Message-ID: <CAH8yC8=L52TujEE8OxmxYj58Oc_cvKSOxT2UrFRquOqtJqhbvA@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Francois Marier <francois@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jul 8, 2015 at 11:42 AM, Brian Smith <brian@briansmith.org> wrote:
> Francois Marier <francois@mozilla.com> wrote:
>>
>> Is there a reason why the mixed content spec doesn't use the same
>> definition of "potentially secure origin" as the powerful features spec?
>>
>> In particular, "http://localhost" is potentially secure in POWER but not
>> in MIX.
>
> In some operating systems, it is possible to have localhost resolve to
> something other than ::1 or 127.0.0.1. In a reasonably-configured system,
> that wouldn't happen, but it makes me uncomfortable about treating
> HTTP://localhost specially.

What is the threat? Unauthorized code execution? If so, you have the
remediation. CSP won't allow it.

One of the good things about revenue based models: if something costs
someone money, they are more inclined to tend to it. As soon as the
ads stop working, the web will adjust itself to restore profitability.
Those CSP hashes will begin to show up everywhere.

Jeff
Received on Thursday, 9 July 2015 08:36:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC