W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: ISSUE-38: Discuss no-mixed-content further as a 1.1 experimental directive

From: Dan Veditz <dveditz@mozilla.com>
Date: Sat, 03 Nov 2012 01:22:23 +0100
Message-ID: <509463BF.1040606@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: Ian Melven <imelven@mozilla.com>, Web Application Security Working Group <public-webappsec@w3.org>
On 11/2/12 9:22 PM, Adam Barth wrote:
> I'm not sure how useful this directive is now that many user agents
> are blocking mixed scripting by default.

That raises a fairly good point: if multiple user agents are already 
doing (part of) this we should probably specify this behavior somewhere 
or at least argue about it.

I believe no-mixed-content was intended to also block mixed-display 
content (images and such) that user-agents currently don't block. I 
believe the motivation is to give top-level documents some ability to 
prevent 3rd party included content (for example, framed ads) from 
triggering negative UX or warnings in browsers.

-Dan Veditz
Received on Saturday, 3 November 2012 00:22:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 3 November 2012 00:22:51 GMT