W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: ISSUE-38: Discuss no-mixed-content directive

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 12 Feb 2013 13:50:06 -0800
Message-ID: <511AB90E.10604@mozilla.com>
To: Neil Matatall <neilm@twitter.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2/5/2013 11:01 AM, Neil Matatall wrote:
> "no-mixed-content": on; works for me

I find this to be ugly cruft. Mixed content is a known-bad pattern and 
if you've opted into a security regime we should assume you do not want 
that unless you say otherwise. If you don't specify a scheme then a host 
name should be treated as the same scheme as the document itself. If 
you're an SSL document and you want to load something insecurely you 
should explicitly do so by specifying http://host

To encourage the use of SSL we could say that if the original document 
is not secure then an unspecified scheme could match either http or 
https. Any other scheme is uncommon on the web and should require the 
web site to explicitly allow (if they are using any of the 
content-blocking directives).

-Dan Veditz
Received on Tuesday, 12 February 2013 21:50:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 12 February 2013 21:50:37 GMT