ES Native Mode proposal

David Bruant bruant.d at gmail.com
Thu Sep 26 02:43:04 PDT 2013


Le jeu. 26 sept. 2013 11:11:40 CEST, Aymeric Vitte a écrit :
> For those interested I provided in the CSP thread a link to a FF bug
> report where it's explained how some security policy (here Websocket
> spec) forces me to do insecure things. I don't know what list can take
> care of it, there is a discussion in [1] too, for now I did not see
> really solid arguments showing that I could be wrong.
I answered on the webappsec thread. Firefox blocks mixed content for 
good reasons. When receiving an HTTPS page, the browser shows lots of 
signs of the page being secure. If the page starts loading 
code/style/content with HTTP, these are subject to man in the middle 
attacks and suddenly, the browser gives a false sense of security to the 
user.
Firefox isn't forcing you to do insecure things. Firefox is forcing you 
to make a choice: go all the way secure (so that it can shows strong 
signal to the user) or use HTTP.

> Maybe a solution could be combination of CSP and SES, I think SES
> should come now, as far as I remember it is planned for ES8, seems too
> late.
SES exists now... sort of... with Caja. You don't need to wait, it's 
already available. Module loaders are also a major step forward.

> Solving the code loading issue is indeed the key point, but is it
> feasible?
Can you describe ways in which it isn't?

David


More information about the es-discuss mailing list