W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Comments on Mixed Content

From: Chris Palmer <palmer@google.com>
Date: Wed, 10 Dec 2014 16:43:36 -0800
Message-ID: <CAOuvq20LMrRZmXr6Xyg-R7_4egCvY-geXXyJdfLaZGvphyaSpw@mail.gmail.com>
To: David Walp <David.Walp@microsoft.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Dec 10, 2014 at 2:32 PM, David Walp <David.Walp@microsoft.com> wrote:

> 1) Section 2.2, TLS-protected & Weakly TLS-protected (and throughout the
> spec).
>
> There appears to be an assumption the only environment is the internet and
> that intranet environments are not addressed.   We think this would be
> addressed by adding wording in section 2.2 that stated User agents are free
> to interpret protection with in a trusted environment.

How should a UA programmatically and unambiguously determine that the
page's origin is served from an intranet server?

What about passive and active attackers on the intranet?

Why create ambiguity in the user's overall browsing experience?

Why create an affordance for not fixing mixed content bugs?
Received on Thursday, 11 December 2014 00:44:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC