ES Native Mode proposal
bruant.d at gmail.com
Thu Sep 26 02:43:04 PDT 2013
Le jeu. 26 sept. 2013 11:11:40 CEST, Aymeric Vitte a écrit :
> For those interested I provided in the CSP thread a link to a FF bug
> report where it's explained how some security policy (here Websocket
> spec) forces me to do insecure things. I don't know what list can take
> care of it, there is a discussion in  too, for now I did not see
> really solid arguments showing that I could be wrong.
I answered on the webappsec thread. Firefox blocks mixed content for
good reasons. When receiving an HTTPS page, the browser shows lots of
signs of the page being secure. If the page starts loading
code/style/content with HTTP, these are subject to man in the middle
attacks and suddenly, the browser gives a false sense of security to the
Firefox isn't forcing you to do insecure things. Firefox is forcing you
to make a choice: go all the way secure (so that it can shows strong
signal to the user) or use HTTP.
> Maybe a solution could be combination of CSP and SES, I think SES
> should come now, as far as I remember it is planned for ES8, seems too
SES exists now... sort of... with Caja. You don't need to wait, it's
already available. Module loaders are also a major step forward.
> Solving the code loading issue is indeed the key point, but is it
Can you describe ways in which it isn't?
More information about the es-discuss