Re: [whatwg] Encrypted HTTP and related security concerns - make mixed content warnings accessible from JS?
On Thu, 11 Nov 2010, Ingo Chao wrote: > > For automated error reporting, say for a HTTPS mashup page with 3rd > party advertisement content, I would like to have a security warning > thrown for the mixed content situation (HTTPS mixed with HTTP content), > accessible from JavaScript. On Sat, 13 Nov 2010, Ingo Chao wrote: > > The mashup combines components, some of them are not under my control. > The advertisement service provides 3rd party ads, they will change > often. Including the ad service means that I never know if and when > someone throws in http content into the mix. > > The error console would show the issue to me, but does not report > automatically. I don't want to be dependent on user's bug reports > regarding the warning they see occasionally. Users get upset, or think > that they'd better leave is insecure place, but usually they won't file > a but report. I need to get this info as soon as the event fires. > > I've seen this scenario on some https mashups, like web mail services > that inluce ad services into their mashup. On Sat, 13 Nov 2010, Gregory Maxwell wrote: > > This sounds to me like the kind of reasoning which resulted in the CSP > policy set stuff: > > https://developer.mozilla.org/en/Security/CSP > > (and, in particular, the violation reports) I haven't added anything to the spec at this time, on the assumption that this is indeed the kind of thing which CSP might fix in the medium-term future. If it turns out that CSP, or whatever CSP gets replaced by, doesn't solve this use case, then we should revisit it. Cheers, -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] Encrypted HTTP and related security concerns - make mixed content warnings accessible from JS?
On Sat, Nov 13, 2010 at 5:37 PM, Ingo Chao wrote: > 2010/11/13 timeless : [snip] > Good contracts with the component's providers of a mashup are > neccessary, but not sufficient to resolve the mixed https/http issue > in reality. Another ingredient for a secure mashup would be the event > I am proposing, to alert the mashup's owner that something was going > wrong, by mistake. That a component was loaded insecure. This sounds to me like the kind of reasoning which resulted in the CSP policy set stuff: https://developer.mozilla.org/en/Security/CSP (and, in particular, the violation reports)
Re: [whatwg] Encrypted HTTP and related security concerns - make mixed content warnings accessible from JS?
2010/11/13 timeless : > On Sat, Nov 13, 2010 at 2:52 PM, Ingo Chao wrote: >> The mashup combines components, some of them are not under my control. >> The advertisement service provides 3rd party ads, they will change >> often. > >> Including the ad service means that I never know if and when >> someone throws in http content into the mix. > > You need a better contract with your advertiser. You need to demand > that they don't provide non https content. > > Besides, no advertiser in their right mind wouldn't want to know that > you only want https content. Each time your users load a page and the > advertiser fails to load an ad, the advertiser loses money. > Good contracts with the component's providers of a mashup are neccessary, but not sufficient to resolve the mixed https/http issue in reality. Another ingredient for a secure mashup would be the event I am proposing, to alert the mashup's owner that something was going wrong, by mistake. That a component was loaded insecure. Thanks, Ingo
Re: [whatwg] Encrypted HTTP and related security concerns - make mixed content warnings accessible from JS?
On Sat, Nov 13, 2010 at 2:52 PM, Ingo Chao wrote: > The mashup combines components, some of them are not under my control. > The advertisement service provides 3rd party ads, they will change > often. > Including the ad service means that I never know if and when > someone throws in http content into the mix. You need a better contract with your advertiser. You need to demand that they don't provide non https content. Besides, no advertiser in their right mind wouldn't want to know that you only want https content. Each time your users load a page and the advertiser fails to load an ad, the advertiser loses money.
Re: [whatwg] Encrypted HTTP and related security concerns - make mixed content warnings accessible from JS?
2010/11/13, Anne van Kesteren : > On Fri, 12 Nov 2010 23:02:16 +0100, Ingo Chao > wrote: >> An event that says 'something was loaded insecurely' would be helpful. >> No need to report the URL, and no need to have the ability to prevent >> the loading in the first place. >> >> The bug reporting tool of the mashup page would inform me that the >> mixed content warning event was fired. These issues have to be >> investigated manually in any case. > > Maybe this is something that should be warned for in the error console > instead then? Why does this need to be an API exposed to the web? The mashup combines components, some of them are not under my control. The advertisement service provides 3rd party ads, they will change often. Including the ad service means that I never know if and when someone throws in http content into the mix. The error console would show the issue to me, but does not report automatically. I don't want to be dependent on user's bug reports regarding the warning they see occasionally. Users get upset, or think that they'd better leave is insecure place, but usually they won't file a but report. I need to get this info as soon as the event fires. I've seen this scenario on some https mashups, like web mail services that inluce ad servises into their mashup. > > > -- > Anne van Kesteren > http://annevankesteren.nl/ > -- Ingo Chao http://www.satzansatz.de/
Re: [whatwg] Encrypted HTTP and related security concerns - make mixed content warnings accessible from JS?
On Fri, 12 Nov 2010 23:02:16 +0100, Ingo Chao wrote: An event that says 'something was loaded insecurely' would be helpful. No need to report the URL, and no need to have the ability to prevent the loading in the first place. The bug reporting tool of the mashup page would inform me that the mixed content warning event was fired. These issues have to be investigated manually in any case. Maybe this is something that should be warned for in the error console instead then? Why does this need to be an API exposed to the web? -- Anne van Kesteren http://annevankesteren.nl/
Re: [whatwg] Encrypted HTTP and related security concerns - make mixed content warnings accessible from JS?
2010/11/12, Daniel Veditz : > On 11/11/10 12:06 PM, Ingo Chao wrote: >> For https mashups, users will see always a few >> security warnings in IE or Chrome, because a few components will be >> delivered via http. Thats good, but I would like to know that, too. >> The mashup should report that automatically. Hence my question >> regarding a warning which is accessible via JS. > > What do you want to know, and what will your page do with that? > Simply that "something" was loaded insecurely? An event that > something was loaded insecurely so you can stop it from loading? > Detailed knowledge of what URL was loaded insecurely and by whom > (not likely to fly)? An event that says 'something was loaded insecurely' would be helpful. No need to report the URL, and no need to have the ability to prevent the loading in the first place. The bug reporting tool of the mashup page would inform me that the mixed content warning event was fired. These issues have to be investigated manually in any case. thanks Ingo > -- Ingo Chao http://www.satzansatz.de/
Re: [whatwg] Encrypted HTTP and related security concerns - make mixed content warnings accessible from JS?
On 11/11/10 12:06 PM, Ingo Chao wrote: > For https mashups, users will see always a few > security warnings in IE or Chrome, because a few components will be > delivered via http. Thats good, but I would like to know that, too. > The mashup should report that automatically. Hence my question > regarding a warning which is accessible via JS. What do you want to know, and what will your page do with that? Simply that "something" was loaded insecurely? An event that something was loaded insecurely so you can stop it from loading? Detailed knowledge of what URL was loaded insecurely and by whom (not likely to fly)?
Re: [whatwg] Encrypted HTTP and related security concerns - make mixed content warnings accessible from JS?
2010/11/11, timeless : > On Thu, Nov 11, 2010 at 12:17 PM, Ingo Chao wrote: >> For automated error reporting, say for a HTTPS mashup page with 3rd >> party advertisement content, I would like to have a security warning >> thrown for the mixed content situation (HTTPS mixed with HTTP >> content), accessible from JavaScript. >> >> Would that be possible to specify? > > sounds like it's asking for information disclosure. > > so offhand, i'd say "no". > > Use a web debugger (DragonFly, Firebug, ...). I use a web debugger for testing a control sample, but It does not help much until I know that every single ad is delivered via https. Usually, I don't know. For https mashups, users will see always a few security warnings in IE or Chrome, because a few components will be delivered via http. Thats good, but I would like to know that, too. The mashup should report that automatically. Hence my question regarding a warning which is accessible via JS. Thanks Ingo > -- Ingo Chao http://www.satzansatz.de/
Re: [whatwg] Encrypted HTTP and related security concerns - make mixed content warnings accessible from JS?
On Thu, Nov 11, 2010 at 12:17 PM, Ingo Chao wrote: > For automated error reporting, say for a HTTPS mashup page with 3rd > party advertisement content, I would like to have a security warning > thrown for the mixed content situation (HTTPS mixed with HTTP > content), accessible from JavaScript. > > Would that be possible to specify? sounds like it's asking for information disclosure. so offhand, i'd say "no". Use a web debugger (DragonFly, Firebug, ...).