W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

Re: some brief comments on mixedcontent

From: Mike West <mkwst@google.com>
Date: Mon, 22 Jun 2015 15:51:00 +0200
Message-ID: <CAKXHy=fXkS+vHhP4-_o19ywmrE_9aVw43oNgA3szyTYsmA0JHQ@mail.gmail.com>
To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Cc: W3C Web App Security WG <public-webappsec@w3.org>
Thank you for this detailed feedback, Jeff, and apologies that I took 3
months to address it.  Responses inline. :)

On Tue, Mar 17, 2015 at 5:02 PM, =JeffH <Jeff.Hodges@kingsmountain.com>
wrote:

> ###
>     NOTE:  "Mixed content" as used above (see also Section 5.3 in
>            [W3C.REC-wsc-ui-20100812]) refers to the notion termed "mixed
>            security context" in this specification and should not be
>            confused with the same "mixed content" term used in the
>            context of markup languages such as XML and HTML.
> ###
>
> So anyway, I realize that given how embedded the term "mixed contect" is in
> the web security world that it isn't going to be changed. however, I do
> suggest trying to disambiguate and clarify it in a spec such as
> mixedcontent.  e.g., I'd be tempted to add a subtitle of "mixed security
> context", and/or a disclaimer similar to the note above from RFC6797 that
> clarifies it as distinct from the notion in the markup language world.
>

Noted this in:
https://github.com/w3c/webappsec/commit/528162c3014ddd19cc6e04570fe19e57292ca0d1,
and added a brief discussion of "mixed security context" in order to
clarify the UI requirements below. I don't believe this is a normative
change from the previous text: the outcome should be the same.


>
> Also, [WSC-UI] is a Recommendation, and it clearly defines 'mixed content'
> [3] --- and mixedcontent [*] is clearly re-defining the term without
> reference to [WSC-UI]. I don't know how the W3C deals with one spec
> "updating" another (as is done in the IETF), but without resolution, it's a
> loose end (from my perspective anyway).
>

Noted this in
https://github.com/w3c/webappsec/commit/d9d8246bf985bcfe78d02dfb6d0c1be6ccb3b56a
.

in terms of the Note at the end of the Introduction in [*], you might want
> to s/more a user agent/more user agents/.
>
> FWIW, the earliest mentions of "Downloading non-secure content from a
> secure
> web site.." wrt IE that I can find refer to IE 6, and perhaps IE 5 or 5.5
> (yes, i poked around the internet archive too). I could not find any
> references to IE 4.
>

Fixed the typos and added sources:
https://github.com/w3c/webappsec/commit/9b1690c0432e0320fa861c89ced452bbaf45a5ed
:)


>    "A resource is said to be mixed content if the resource’s origin is
> insecure, and the context responsible for loading it restricts mixed
> content."
>
> ..seems a bit awkward in that the resource isn't going to be loaded if the
> loading context restricts such loads.
>
> And the example..
>
>    "The image http://example.com/image.png is mixed content when loaded by
> https://not.example.com/."
>
> ..seems odd because it talks about "when loaded", but mixed content is
> detected prior to loads in the case of a priori insecure (origin | url), or
> in the act of establishing a TLS connection and discovering that the
> resultant TLS-protection is deprecated.
>

I've addressed this differently than you suggested by widening the
definition of "mixed content" to include both requests and resources. This
was implicit in the way I was using the term already, so I don't believe it
introduces any normative changes in the document:
https://github.com/w3c/webappsec/commit/8732a8402ba535dc7ab05423fec251f8ceb5c8bd


> wrt "security considerations" I would add an item briefly discussing that
> being careful/strict about 'mixed content' is only protecting against
> attackers on the wire -- it does nothing to protect the requester if any of
> the servers involved in serving the resource being fetched are themselves
> surreptitiously compromised.  this is a point often neglected it seems.
>

I've poked at this in
https://github.com/w3c/webappsec/commit/33100dc4f465bf0820974a40ba8e7f1964931f15
.

WDYT?

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 22 June 2015 13:51:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC