- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Mon, 2 Jun 2014 11:08:21 -0700
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Ryan Sleevi <rsleevi@chromium.org>, Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>, palmer <palmer@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Tanvi Vyas <tanvi@mozilla.com>, Brad Hill <bhill@paypal.com>
> For that domain. It doesn't mean the author would never want to include > other-domain non-SSL content. What are you going to do about the common case > of viewing embedded images in secure GMail? yeah absolutely we should show a warning or block that content. I am not arguing against that: I am only talking about the case where due to HSTS, no insecure content is ever loaded on the page. > > I agree, there's no point warning the user about something that hasn't > happened. We should still spit out a message on the console, of course. > Exactly---I view "message on console" as "warn the developer/author" and showing security UI as "warn the user". In general, conserving user attention and reducing warnings is something I am a big fan of. Even if Chrome does show a warning right now, I am not sure what we get by mandating this in the spec. thanks Dev
Received on Monday, 2 June 2014 18:09:08 UTC