On 23/09/13 11:21 AM, Aymeric Vitte wrote:
Please see: https://bugzilla.mozilla.org/show_bug.cgi?id=917829
I think I have detailed already in the bug report why it does not
necessary make sense to forbid ws from a https page, for your review and
comments.
The problem might be that when you switch across to webservices, there
seems no way to say "use webservices, but I won't tell you which
security level to use."
That is, "wsa:/...." where 'wsa' could mean webserversagnostic, either
ws or wss.
(fwiw, this is a core flaw in the HTTPS model, that the coder can
choose. And yes, once HTTPS is indicated on the original request, it
has to maintain SSL/TLS protection across the lot, otherwise the
security claim is broken.)
iang
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security