W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2016

Subresource integrity and mixed-content warnings

From: Frederik Creemers <frederikcreemers@gmail.com>
Date: Mon, 23 May 2016 20:32:37 +0200
Message-ID: <CAJA=sDSsmt9UHzht=-aK_y6U3jt3ccS-_QVBwVccb5B583uk+Q@mail.gmail.com>
To: public-webappsec@w3.org
Dear all,

I'm currently building a web application for listening to podcasts, and
would like to serve it over HTTPS. However, I have no control over the
servers that serve the actual audio/video files, frequently leading to
mixed-content warnings. I'm wondering if subresource integrity could
resolve some or all of these. If my site is served over HTTPS, the
checksums cannot be tampered with, so if someone were to do a MITM attack
on the connection to a media server, the checksum would fail.

I'm aware that this only gives us the MITM resistance, and not the
authentication and encryption offered by a fully HTTPS protected website.
I'm also aware that my server then somehow needs to connect to the media
server and calculate the checksum, and that a MITM attack could be
performed there. But I really feel the need for a solution to include non
HTTPS content on HTTPS pages, especially non-executable content like
images, audio and video.

I don't often read W3C mailing lists, so I hope I'm posting this in the
right place.

Best regards,
Frederik
Received on Monday, 23 May 2016 18:33:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC