You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: admin/100_percent_https_roadmap.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -29,6 +29,8 @@ Starting Assumptions
29
29
30
30
e.g. 4 if Facebook is going to send a security token somewhere on your behalf, it wants to be sure it will never do so over an insecure channel or one that is only “optimistically” secure.
31
31
32
+
TimBL: users must be able to control how the user agent trusts on their behalf
33
+
32
34
The Invariants
33
35
----------------------------------
34
36
From the Biba and Bell-LaPadula formal integrity models.
@@ -55,8 +57,8 @@ No Read Down / No Write Up
55
57
- http resources can GET/POST to https resources
56
58
- Cookies (even w/secure flag) can be written by http and are sent to https
57
59
* Distinct invariants, but the web is very bad a data/code separation.
58
-
* Even if we wanted to make an exception to Read Down (e.g. open data over http) it is impossible to guarantee that No Write Up isn’t also violated.
59
-
- “optionally blockable” mixed content attempts this distinction, but XHR + JS is not strongly typed enough to allow read down without write up in an “open data” application
60
+
* Even if we wanted to make an exception to Read Down (e.g. to read an open data source that is served only over http) it is impossible to guarantee that No Write Up isn’t also violated.
61
+
- “optionally blockable” mixed content attempts this distinction, but XHR + JS is not strongly typed enough to allow read down without write up in such an application
60
62
* There is also metadata and other information leakage possible in a secure->insecure read operation
0 commit comments