[whatwg] should we add beforeload/afterload events to the web platform?

On Fri, Feb 3, 2012 at 10:47 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 2/3/12 11:15 PM, Ian Hickson wrote:
>>
>> No, I agree with you that if the author is using HTTP styles on their
>> HTTPS page that an attacker could screw with the page. But my point is
>> that fixing that is easy: just move the styles to HTTPS. In the case of
>> scripts it's not that easy because the scripts might be on third-party
>> servers
>
> Styles are also commonly found on third-party servers...
>
>> in complicated setups
>
> Likewise.
>
> But yeah, I'd love to hear from Adam here.

I've somewhat lost track of this thread.  If you're asking about how
dangerous it is to include HTTP styles in an HTTPS page, it's less
dangerous than script but more dangerous than images.  Chrome
classifies styles as "active mixed content", which has a number of
effects, including triggering scarier UI.

One way to think about insecure styles is to imagine they let the
attacker completely control the appearance of the page (this is
actually not that far from the truth).  There are many pages where
controlling their appearance is almost as good as injecting script
into them.  For example, you can convince the user to type their
password into a text field that is actually a direct message to the
attacker, etc.

Adam

Received on Saturday, 4 February 2012 09:52:21 UTC