Re: CfC: Mixed Content to PR; deadline July 6th. from Mike West on 2015-07-20 (public-webappsec@w3.org from July 2015)

From: Mike West <mkwst@google.com>
Date: Mon, 20 Jul 2015 14:35:56 +0200
To: Brian Smith <brian@briansmith.org>
Cc: Anne van Kesteren <annevk@annevk.nl>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Dan Veditz <dveditz@mozilla.com>, Kristijan Burnik <burnik@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Alex Russell <slightlyoff@google.com>, Ryan Sleevi <sleevi@google.com>
Message-ID: <CAKXHy=f4cqF+p54KTa_NGmpWyfygdgWsddDP6UgojHqU_R-K9A@mail.gmail.com>

Ok. If both Brian and Anne agree, then I'm almost certainly in the wrong.

I'll poke at MIX this afternoon to bake in the passthrough loophole
discussed here. It's not entirely clear to me how to distinguish a
`fetch()` issued from the Document from the `fetch(event.request)` issued
from the Service Worker (as they'll both have a `context` of "fetch",
right? and both point to the same `window`?). Perhaps it makes sense to
divide the "fetch" context into "fetch" and "passthrough-fetch" in the same
way we divided "image" and "image-set"?

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Sun, Jul 19, 2015 at 9:58 PM, Brian Smith <brian@briansmith.org> wrote:

> Anne van Kesteren wrote:
>
>> Mi ke West wrote:
>
> > (Note also that in my ever so brief (and probably incompetent)
>> > experimentation, I'm getting mixed content errors when doing anything
>> other
>> > than a passthrough fetch for insecure content. Maybe I misunderstood
>> Alex,
>> > or he misunderstood me?)
>>
>> If by passthrough you mean fetch(event.request) that'd make sense to me.
>>
>
> I think that that is a compromise worth considering: Allow mixed-content
> fetch in a service worker only if the fetch is forwarding a request
> generated from the browser's normal fetching of a <img>, <video>, or
> <audio> source, and otherwise block it.
>
> IMO, it doesn't make sense to advance this document to PR if it describes
> something where there is not agreement and that people don't intend to
> implement. I wish people agreed with what the spec says, but specs are not
> supposed to be wishful thinking. I think pushing the current document
> forward is likely to result in worse (less strict) mixed content blocking
> in real implementations than if we took the time to properly resolve the
> issue.
>
> Cheers,
> Brian
> --
> https://briansmith.org/
>

Received on Monday, 20 July 2015 12:36:45 UTC