RE: Mixed Content Spec feedback

Hi Mike,

Yes, we are behind the statement "moving towards a world where all mixed content is blocked".  We wanted to make sure that our partners and the ecosystem's concerns were clearly heard.  They would have liked to have seen a way for playing media from a secure site without paying the overhead of security.  Given the responses, they are willing to pay the overhead to live in a more secure environment (aka the specification as currently written).  Net effect is that the concern I raised is withdrawn from the specification discussion.

Cheers,
_dave_


From: Mike West [mailto:mkwst@google.com]
Sent: Wednesday, July 2, 2014 6:01 AM
To: Anne van Kesteren
Cc: David Walp; public-webappsec@w3.org
Subject: Re: Mixed Content Spec feedback

Hi David! Thank you for your feedback!

When describing passive content, the spec currently states "Future versions of this specification will update these subcategories with the intent of moving towards a world where all mixed content is blocked; that is the end goal, but this is the best we can do for now." Is that a statement that Microsoft can get behind?

If so, then the proposal to allow certain types of XHR responses seems to move in the wrong direction, as there's general agreement between vendors today (the latest versions of Firefox and IE both block mixed XHR, and I've just landed a similar patch in Blink).

Allowing media to flow over unencrypted channels on an otherwise encrypted site opens up some real concerns, especially with regard to content filtering or targeting of users based on content viewed. I'm sympathetic to performance concerns, but I don't believe they should be overriding given this wider context.

-mike