- From: Nottingham, Mark <mnotting@akamai.com>
- Date: Tue, 22 Mar 2016 00:45:55 +0000
- To: Tanvi Vyas <tanvi@mozilla.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, "Christoph Kerschbaumer" <ckerschbaumer@mozilla.com>
The strict checking section ([2] below) says it has effects on both 5.3 and 5.4; looking at them, they both perform a "Does settings prohibit mixed security contexts?" check first <https://w3c.github.io/webappsec-mixed-content/#categorize-settings-object>, and AIUI that has the effect of ignoring the flag for HTTP contexts (because it will fall through to "Does Not Restrict Mixed Security Contexts"). I think that's the right thing to do, FWIW. Cheers, > On 22 Mar 2016, at 10:35 AM, Tanvi Vyas <tanvi@mozilla.com> wrote: > > Hi, > > Christoph just implemented support in Firefox for the CSP directive block-all-mixed-content[1], which should be released with Firefox 48. When looking back at the implementation, I wonder what is the right behavior if the directive is set on an HTTP page. I don't see this case mentioned explicitly in the spec. Is this a use case we should support? Perhaps it would be useful for an HTTP page is planning to move to HTTPS; the developer may set the directive to avoid mixed content issues once they migrate? Thoughts? > > ~Tanvi > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1122236 > [2] https://w3c.github.io/webappsec-mixed-content/#strict-checking -- Mark Nottingham mnot@akamai.com https://www.mnot.net/
Received on Tuesday, 22 March 2016 00:46:27 UTC