Le jeu. 26 sept. 2013 11:11:40 CEST, Aymeric Vitte a écrit :
For those interested I provided in the CSP thread a link to a FF bug
report where it's explained how some security policy (here Websocket
spec) forces me to do insecure things. I don't know what list can take
care of it, there is a discussion in [1] too, for now I did not see
really solid arguments showing that I could be wrong.
I answered on the webappsec thread. Firefox blocks mixed content for
good reasons. When receiving an HTTPS page, the browser shows lots of
signs of the page being secure. If the page starts loading
code/style/content with HTTP, these are subject to man in the middle
attacks and suddenly, the browser gives a false sense of security to the
user.
Firefox isn't forcing you to do insecure things. Firefox is forcing you
to make a choice: go all the way secure (so that it can shows strong
signal to the user) or use HTTP.
Maybe a solution could be combination of CSP and SES, I think SES
should come now, as far as I remember it is planned for ES8, seems too
late.
SES exists now... sort of... with Caja. You don't need to wait, it's
already available. Module loaders are also a major step forward.
Solving the code loading issue is indeed the key point, but is it
feasible?
Can you describe ways in which it isn't?
David
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
