Re: CfC: Mixed Content to PR; deadline July 6th. from Brian Smith on 2015-07-07 (public-webappsec@w3.org from July 2015)

From: Brian Smith <brian@briansmith.org>
Date: Tue, 7 Jul 2015 10:29:01 -0400
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Ryan Sleevi <sleevi@google.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Kristijan Burnik <burnik@google.com>
Message-ID: <CAFewVt70Jai+3btMggWXYAYGbj9=xghqb=edCYfYYgt-xi-08Q@mail.gmail.com>

Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Jul 7, 2015 at 4:16 PM, Brian Smith <brian@briansmith.org> wrote:
> > [...] any use of fetch() by a service worker to fetch a
> > non-secure resource will fail due the pre-connect blocking in section
> 5.2.
>
> "no-cors" is not blocked.
>

Are you basing that this?:
on https://w3c.github.io/webappsec/specs/mixedcontent/#should-block-fetch

My reading of that section makes me thing that every fetch() is blocked by
step 7.2, because "fetch" is not optionally-blockable mixed content. Only
"video", "audio", and "img" are optionally-blockable mixed content.

Cheers,
Brian

Received on Tuesday, 7 July 2015 14:29:29 UTC