W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [MIX] Initial feedback on Mixed Content

From: Brian Smith <brian@briansmith.org>
Date: Mon, 17 Nov 2014 21:09:16 -0800
Message-ID: <CAFewVt4FvTX0=A9B7B_Czkd7SnTL__C4ygJhUomnaTgiMx1nWQ@mail.gmail.com>
To: Jake Archibald <jakearchibald@google.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Jake Archibald <jakearchibald@google.com> wrote:
> Also, one of the bad things about appcache is a valid but otherwise empty
> manifest makes massive changes to the behaviour of the page. No subresources
> will load, and the page pointing to the manifest will be cached. This is
> terrible & we want to avoid doing the same with ServiceWorker, an
> empty-but-valid ServiceWorker should have no impact on the loading of the
> page and resources.

Jake, thanks for pointing that out. I agree that my suggestion was too
heavy-handed. That goal can be easily met without allowing the
ServiceWorker to itself make any mixed-content requests. Please see my
reply to Mike.

Note that mixed content blocking already creates some tension with
things like feed readers, page previewing for development tools and
advertisements, and other things. I'm not convinced that a podcasting
app is more important to support than those other use cases that we
already accepted as collateral damage. I think there might be some
selection bias there, as people in our community are more likely to
care about that type of use case.

Regardless, I think it would be good to find *some* way to align the
goals of ServiceWorkers with the goals of mixed content blocking. I
understand that Google has specific plans for handling mixed content
with ServiceWorkers. Could you please share the details?

Cheers,
Brian
Received on Tuesday, 18 November 2014 05:09:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC