W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [MIX] Initial feedback on Mixed Content

From: Mike West <mkwst@google.com>
Date: Fri, 14 Nov 2014 12:09:50 +0100
Message-ID: <CAKXHy=dFsjsdzw5NknPUc7eP=eGPrY4Tk7BcprFD0kikOTd9mg@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>, Jake Archibald <jakearchibald@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Nov 14, 2014 at 4:59 AM, Brian Smith <brian@briansmith.org> wrote:

> I read the editor's draft, not the working group draft.
>

Thanks for the feedback!


> Generally, I think that this draft has way too many unnecessary words,
> with a lot of non-normative text repeating the normative text.


I agree with the claim that there's overlap between non-normative and
normative sections. I guess I'm a little more positive on that overlap than
you are. While it is indeed _sufficient_ for the spec to list the
algorithms in section 5 and 6 (along with whatever definitions and etc
those require), I think doing so would make the spec harder for web
developers to understand.

The non-normative sections provide justification for the normative sections.

That's not to say it's all gold; I agree that section 4 in particular can
be trimmed down. I'm less interested in trimming 3 because it gives
developers a clear delineation, and, to some extent, justification for the
way things break down. That's important to me.

But yes, by all means suggest specific things to excise. I'm desperately in
love with any particular thing in the doc.

To fix this, I suggest adding an additional step along the lines of
> "If any service worker was registered, then return blocked" before "If
> request’s mode is CORS or CORS-with-forced-preflight, return blocked."
>

If a website can request a particular video/audio/image, then it's not
clear that a Service Worker shouldn't be able to do the same (with UI
degradation, as appropriate). Jake (CC'd) has harangued me with the example
of a podcasting app, for instance: it's absolutely something we'd want to
see work offline, and the <audio> tag is perfectly capable of playing back
insecure content.

Should we block Service Worker from doing the same? I don't think that's as
clear-cut as you suggest.


> Also, please replace "If context is a blockable request context,
> return blocked." with "If context is a not an optionally-blockable
> request context, return blocked." In other words, operate as a
> whitelist, not a blacklist. This way, you don't even have to define
> "blockable" only "optionally-blockable".


Makes sense:
https://github.com/w3c/webappsec/commit/10b0ac77dbdb6c73b68b1cd0b0622193ebffd787


> And, it makes it easier to
> see why it is unnecessary to enumerate any/all of the blockable fetch
> types.
>

Technically, I agree with you. Explanatorily, I disagree. :)

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 14 November 2014 11:10:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC