W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: ISSUE-38: Discuss no-mixed-content directive

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 5 Mar 2013 16:50:56 -0800
Message-ID: <CAJE5ia8ik-R2ASOgOBtxt3PJyBXg4E9o_Dxw055_6-5ATL-twg@mail.gmail.com>
To: Neil Matatall <neilm@twitter.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Does anyone object to making this change to the spec?  If not, I'll
put it in my queue of edits to make.

Adam


On Tue, Feb 12, 2013 at 2:08 PM, Neil Matatall <neilm@twitter.com> wrote:
> That works for me.
>
> On Tue, Feb 12, 2013 at 1:50 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>> On 2/5/2013 11:01 AM, Neil Matatall wrote:
>>>
>>> "no-mixed-content": on; works for me
>>
>>
>> I find this to be ugly cruft. Mixed content is a known-bad pattern and if
>> you've opted into a security regime we should assume you do not want that
>> unless you say otherwise. If you don't specify a scheme then a host name
>> should be treated as the same scheme as the document itself. If you're an
>> SSL document and you want to load something insecurely you should explicitly
>> do so by specifying http://host
>>
>> To encourage the use of SSL we could say that if the original document is
>> not secure then an unspecified scheme could match either http or https. Any
>> other scheme is uncommon on the web and should require the web site to
>> explicitly allow (if they are using any of the content-blocking directives).
>>
>> -Dan Veditz
>
Received on Wednesday, 6 March 2013 00:51:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC