Le 23/09/2013 10:42, ianG a écrit :
And yes, once HTTPS is indicated on the original request, it has to
maintain SSL/TLS protection across the lot, otherwise the security
claim is broken.
That's not the case already, so there should not be an exception for
WebSockets.
In my case this forces me to use http instead of https to load the main
page, and this is of course more insecure.
The case of someone not trusting SSL/TLS should be considered too.
While both are insecure this looks to me a non sense to allow insecure
http page loading https and not the contrary (or partially)
Regards
Aymeric
--
jCore
Email : avi...@jcore.fr
Peersm : http://www.peersm.com
iAnonym : http://www.ianonym.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
Web : www.jcore.fr
Extract Widget Mobile : www.extractwidget.com
BlimpMe! : www.blimpme.com
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
