Why is that? We're talking about HTTP Bob including HTTPS Alice, just like we're talking about an HTTP page including HTTPS jQuery.
Adam On Wed, Jul 20, 2011 at 1:26 PM, Devdatta Akhawe <[email protected]> wrote: > The invariant I am talking about is more comparable to an https page > including jquery with an http URL, something afaik is considered not safe > and blocked by browsers. > > -devdatta > > On 20 July 2011 13:24, Adam Barth <[email protected]> wrote: >> >> I'm not sure that invariant makes sense. As another example, it seems >> entirely reasonable for an HTTP page to include a copy of jQuery from >> an HTTPS URL. >> >> Adam >> >> >> On Wed, Jul 20, 2011 at 1:16 PM, Devdatta Akhawe <[email protected]> >> wrote: >> > Hi folks >> > >> > Consider a site at www.alice.com that wants to only be framed by their >> > friends at www.bob.com. >> > >> > Say, a request to https://www.alice.com might respond with a >> > X-Frame-Options: allow-from http://www.bob.com >> > >> > Clearly, the https://www.alice.com has the privileges to act with the >> > 'secure' cookie for alice.com. In this scenario, http://www.bob.com >> > might >> > actually be MITM'ed by Mallory and contain malicious code. In this >> > scenario, >> > does it make sense to allow http://www.bob.example to frame >> > https://www.alice.example? I think this is wrong behavior: a more higher >> > level invariant that should be maintained (at least in the newer specs >> > :) is >> > that only HTTPS content has access to secure cookie privileges. >> > >> > Thus, I think the right thing to do is : >> > Enforce https for all the origins in the list returned in allow-from by >> > https://www.alice.com. Even if https://www.alice.com responds with >> > http://www.bob.com in its X-Frame-Options, the browser should only allow >> > https://www.bob.com to frame https://www.alice.com >> > >> > >> > I think this is even more compelling in case alice.com has enforced >> > HSTS. >> > >> > What do others think ? >> > >> > >> > thanks >> > devdatta >> > >> > >> > >> > _______________________________________________ >> > websec mailing list >> > [email protected] >> > https://www.ietf.org/mailman/listinfo/websec >> > >> > > > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
