W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2016

Re: Subresource integrity and mixed-content warnings

From: Chris Palmer <palmer@google.com>
Date: Mon, 23 May 2016 12:11:30 -0700
Message-ID: <CAOuvq21cNb--na9sCXcuxNoZzAJMr=j5TCps8q-SsDNCktSS6A@mail.gmail.com>
To: Frederik Creemers <frederikcreemers@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, May 23, 2016 at 12:04 PM, Frederik Creemers <
frederikcreemers@gmail.com> wrote:

Thank you for the reply, it makes total sense. It looks to me like the
> biggest issue here is transparency to the user. Security and privacy are
> complicated, even for tech savvy people, and you can't expect most people
> to take the time to overthink what security guarantees a particular web
> application they're using does and does not offer, so I understand browsers
> want to give users a very clear "this website is secure" or "this website
> is not secure" signal. Your response has also made me realize that there's
> no workaround for this that I can implement, as there's nothing that I can
> set up to magically make the connection between the user's browser and the
> podcaster's server secure (authenticated and encrypted).
>

Well, technically, it would be possible to lie. You could have your server
proxy the original podcast servers, and then the browsers would think that
the podcasts came from https://yourserver.com.

But, that would be lying :) and it would also incur heavy bandwidth costs
on you. Also, I am not a lawyer, but it might be that not all podcast
publishers would approve of such a plan.

I guess the only thing I can do is hope that media servers start accepting
> secure connections as quickly as possible.
>

If it makes you feel any better, you're not alone. :)
Received on Monday, 23 May 2016 19:11:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC