- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 12 May 2017 11:18:17 -0700
- To: James Kettle <james.kettle@portswigger.net>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Friday, 12 May 2017 18:19:41 UTC
On Fri, May 12, 2017 at 10:20 AM, James Kettle <james.kettle@portswigger.net > wrote: > I think this would need to support credentials for anyone to use it. I > agree that trusting all subdomains isn't really a great idea, but it's a > common use case and if you enforced a rule like '* must be followed by .' > you could help out the many sites making Zomato's mistake of trusting > literally everything that ends in zomato.com, including notzomato.com > Wildcards in CSP directives have this requirement (apart from standalone "*"). Completely reasonable. Maybe mixed content was a poor choice of terminology. I think this > suggestion might have been misunderstood slightly. I'm suggesting that an > application that specifies ACAO: true and ACAO: <some HTTP origin> should > have the ACAC flag ignored. I don't see how this will making upgrading > sites to HTTPS harder, since as Anne said the standard approach is to > upgrade CDNs first and the application afterward, and it's only > applications that care about allowing credentials. > Does Google have any telemetry on how often http->https XHR/fetch explicitly request credentials? Mozilla mixed-content telemetry ignores insecure documents so we don't have any. - Dan VEditz
Received on Friday, 12 May 2017 18:19:41 UTC