- From: Ian Hickson <ian@hixie.ch>
- Date: Sat, 4 Feb 2012 04:15:40 +0000 (UTC)
On Fri, 3 Feb 2012, Boris Zbarsky wrote: > On 2/3/12 10:53 PM, Ian Hickson wrote: > > Surely for the style sheets there's far less of a difficulty in > > getting things right? I don't really understand what vulnerability > > would be relevant here such that you'd need per-stylesheet control > > over what was being imported. > > Hmm. I sort of assume that if you can control the styles you can really > mess with the page, and probably get the user to do things the user > doesn't really want to do. But maybe this is me overworrying? No, I agree with you that if the author is using HTTP styles on their HTTPS page that an attacker could screw with the page. But my point is that fixing that is easy: just move the styles to HTTPS. In the case of scripts it's not that easy because the scripts might be on third-party servers, in complicated setups, etc. So one could see a situation in which one might want (during a still-insecure transitions period) control over the scripts on an individual basis, so that scripts that are known to no longer be needed can be excluded even if they are still referenced somewhere. Adam might be able to comment more specifically on concrete examples of thing kind of thing though in case I am missing some key point! -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 3 February 2012 20:15:40 UTC