W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [MIX] Initial feedback on Mixed Content

From: Mike West <mkwst@google.com>
Date: Tue, 18 Nov 2014 15:53:05 +0100
Message-ID: <CAKXHy=fphxMBTQ=AwTEzArurZ55VBM-wqzxUskDOregNxzemMg@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Jake Archibald <jakearchibald@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I trimmed things up a little bit today:
https://github.com/w3c/webappsec/compare/96b18716431c7107e6744a7f04f6d1e298a3201f...master
WDYT?

I doubt it addresses all of your concerns, but it's what I had time for
today. :)

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Nov 18, 2014 at 6:02 AM, Brian Smith <brian@briansmith.org> wrote:

> Mike,
>
> Thanks for considering my feedback. More inline.
>
> On Fri, Nov 14, 2014 at 3:09 AM, Mike West <mkwst@google.com> wrote:
> > I agree with the claim that there's overlap between non-normative and
> > normative sections. I guess I'm a little more positive on that overlap
> than
> > you are. While it is indeed _sufficient_ for the spec to list the
> algorithms
> > in section 5 and 6 (along with whatever definitions and etc those
> require),
> > I think doing so would make the spec harder for web developers to
> > understand.
> >
> > The non-normative sections provide justification for the normative
> sections.
> >
> > That's not to say it's all gold; I agree that section 4 in particular
> can be
> > trimmed down.
>
> Yes, that would be great. I am happy to provide more specific and
> concrete feedback, but it would be great to do so after that
> reduction.
>
> > I'm less interested in trimming 3 because it gives developers
> > a clear delineation, and, to some extent, justification for the way
> things
> > break down. That's important to me.
>
> I mostly agree. However, at a minimum, the enumeration of
> currently-known blockable fetch contexts in section 3.2 should be
> removed. Although you do say it is non-exhaustive, I think the fact
> that you attempted to exhaustively enumerate the ones that are
> currently known just makes it confusing. In particular, it will add
> fuel to future debates that new types of content were not
> appropriately considered. And, it will prompt otherwise unnecessary
> updates to the document to keep that enumeration up to date. Removal
> also adds emphasis to the ideas that the optionally-blockable content
> is a legacy compatibility mechanism, that we intend for future types
> of content to be in the blockable category, and that blockable is the
> default, all great things to emphasize.
>
> Along those same lines, since that content is most of section 3.2,
> removing it would make it more reasonable to combine section 3.1 and
> section 3.2, perhaps re-titling the section "Blockable vs.
> Optionally-blockable mixed content."
>
> >> To fix this, I suggest adding an additional step along the lines of
> >> "If any service worker was registered, then return blocked" before "If
> >> request’s mode is CORS or CORS-with-forced-preflight, return blocked."
> >
> > If a website can request a particular video/audio/image, then it's not
> clear
> > that a Service Worker shouldn't be able to do the same (with UI
> degradation,
> > as appropriate). Jake (CC'd) has harangued me with the example of a
> > podcasting app, for instance: it's absolutely something we'd want to see
> > work offline, and the <audio> tag is perfectly capable of playing back
> > insecure content.
> >
> > Should we block Service Worker from doing the same? I don't think that's
> as
> > clear-cut as you suggest.
>
> This is at odds with the reasoning in section 3, right? I'd like to
> stick with the reasoning in section 3, where we tolerate mixed content
> for legacy compatibility reasons only. There's no legacy compatibility
> impact for ServiceWorker, because there's no legacy ServiceWorker
> content.
>
> I can see that my suggestion to disallow all mixed content if a
> ServiceWorker is registered is unnecessarily heavy-handed. However, I
> am not convinced that the ServiceWorker needs to be able to do
> mixed-content, other than rejecting the request or allowing the
> default action (the browser's default fetching mechanism) to be used
> to return a response to be used as the source for a  <img>, <video>,
> or <audio> element.
>
> > Makes sense:
> >
> https://github.com/w3c/webappsec/commit/10b0ac77dbdb6c73b68b1cd0b0622193ebffd787
>
> Looks good.
>
> >> And, it makes it easier to
> >> see why it is unnecessary to enumerate any/all of the blockable fetch
> >> types.
> >
> > Technically, I agree with you. Explanatorily, I disagree. :)
>
> Please see my reasoning above. The clearest explanation is that
> everything is blockable except the things explicitly listed a
> optionally-blockable.
>
> Cheers,
> Brian
>
Received on Tuesday, 18 November 2014 14:53:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC