Re: Use case - John and Jane

On Fri, Mar 22, 2013 at 5:33 PM, Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Fri, Mar 22, 2013 at 4:57 PM, Ryan Sleevi <sleevi@google.com> wrote:
>>
>>  Scheme is either HTTP or HTTPS. An origin accessed over HTTP is *not*
>> the same as an origin accessed via HTTPS - because they are different
>> schemes.
>>
>
> Ryan,
>
> I generally agree with your argument here, but I wanted to observe
> out that there has been some discussion of mechanisms for
> authenticating JS delivered over HTTP (e.g., script-hash).
>
> I don't think this changes your basic point though.
>
> -Ekr
>
>
Sure, but that's been in the context of the main page (and therefore
origin) are delivered over HTTPS, and it securely indicates the script-hash
for resources to load over HTTP (eg: to permit edge caching).

An HTTP page embedding HTTP resources with script-hash is as insecure as an
HTTP page embedding HTTPS resources, which is as insecure as an HTTP page
embedding HTTP resources - the attacker can always modify the HTTP page
itself.

Received on Saturday, 23 March 2013 00:39:04 UTC