W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: ISSUE-38: Discuss no-mixed-content directive

From: Neil Matatall <neilm@twitter.com>
Date: Tue, 12 Feb 2013 14:08:28 -0800
Message-ID: <CAOFLtbiOfLP4tx=qjq9m9fn3LPsoyO56WnLnf-PuqQ+QS2pM6g@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
That works for me.

On Tue, Feb 12, 2013 at 1:50 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 2/5/2013 11:01 AM, Neil Matatall wrote:
>>
>> "no-mixed-content": on; works for me
>
>
> I find this to be ugly cruft. Mixed content is a known-bad pattern and if
> you've opted into a security regime we should assume you do not want that
> unless you say otherwise. If you don't specify a scheme then a host name
> should be treated as the same scheme as the document itself. If you're an
> SSL document and you want to load something insecurely you should explicitly
> do so by specifying http://host
>
> To encourage the use of SSL we could say that if the original document is
> not secure then an unspecified scheme could match either http or https. Any
> other scheme is uncommon on the web and should require the web site to
> explicitly allow (if they are using any of the content-blocking directives).
>
> -Dan Veditz
Received on Tuesday, 12 February 2013 22:08:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 12 February 2013 22:08:56 GMT