[HTTPS-Everywhere] Microsoft.com/security/ exclusion needed
Chris Palmer
chris at eff.org
Mon Oct 18 11:45:51 PDT 2010
Peter Eckersley writes:
> Yes, but we should remain vigilant for problems with framebusting JS that
> uses hardcoded http:// destinations.
Yes.
This is what happens when people throw cruft at our problems. :)
> > redirecting to unsafe transport is no way to stop cookie theft. :)
>
> Are you sure? What if the cookie is flagged as secure, and is only to be sent
> to genuinely secure portions of the site, while other portions of the site
> have mixed content and therefore can't be trusted with the secure cookie?
Mixed content isn't bad on a per-page basis, it's worse: it's bad on a per-origin basis and on a per-cookie-scope basis. Trying to secure an origin that contains mixed-content is a fool's errand.
> > I can't imagine what they are thinking. We should lobby them to change it so
> > that HTTPS works.
>
> Agreed. Do people think we should add an exclusion in the mean time?
Sure.
--
Chris Palmer
Technology Director, Electronic Frontier Foundation
More information about the HTTPS-everywhere
mailing list