On Fri, Mar 22, 2013 at 5:33 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > > On Fri, Mar 22, 2013 at 4:57 PM, Ryan Sleevi <sleevi@google.com> wrote: >> >> Scheme is either HTTP or HTTPS. An origin accessed over HTTP is *not* >> the same as an origin accessed via HTTPS - because they are different >> schemes. >> > > Ryan, > > I generally agree with your argument here, but I wanted to observe > out that there has been some discussion of mechanisms for > authenticating JS delivered over HTTP (e.g., script-hash). > > I don't think this changes your basic point though. > > -Ekr > > Sure, but that's been in the context of the main page (and therefore origin) are delivered over HTTPS, and it securely indicates the script-hash for resources to load over HTTP (eg: to permit edge caching). An HTTP page embedding HTTP resources with script-hash is as insecure as an HTTP page embedding HTTPS resources, which is as insecure as an HTTP page embedding HTTP resources - the attacker can always modify the HTTP page itself.
Received on Saturday, 23 March 2013 00:39:04 UTC