W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: Mixed content warnings for cross-site requests

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 26 Feb 2008 11:57:20 +0100
To: Jonas Sicking <jonas@sicking.cc>
Cc: Collin Jackson <collinj@cs.stanford.edu>, Anne van Kesteren <annevk@opera.com>, Adam Barth <abarth@cs.stanford.edu>, public-appformats@w3.org
Message-ID: <20080226105720.GN71413@iCoaster.does-not-exist.org> 

On 2008-02-26 02:16:50 -0800, Jonas Sicking wrote:

> I think in general a UA should warn the user that a connection is
> about to be made over a non-https connection and give the user
> the option to abort the request.

There's a reason why these kinds of dialogues are called "idiot
boxes" by folks in the usability community.  Before recommending any
particular UI behavior in terms of security warnings, please talk to
the people in the Web Security Context WG about that.

> Not sure if this needs to be mentioned in the access-control
> spec, but it doesn't hurt I suppose. In general I don't think
> these requests should be treated any differently from any other
> requests though.

It actually does hurt (for various reasons), and talking about user
interactions for mixed content *is* on the WSC WG's plate.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Tuesday, 26 February 2008 10:57:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 26 February 2008 10:57:30 GMT