- From: Tanvi Vyas <tanvi@mozilla.com>
- Date: Fri, 27 Oct 2017 16:20:22 -0700
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Emily Stark <estark@google.com>, Peter Eckersley <pde@eff.org>, Brad Hill <hillbrad@gmail.com>
- Message-ID: <CALC7Gs4Wv-7Cokaa5cJmUZo0kdyiWnv7KC76gTSXbP_BkLtvBg@mail.gmail.com>
Hi Mike, Thanks for coming up with a proposal to help get us closer to eliminating mixed content! A few comments inline. > 1. Upgrade blockable mixed content to HTTPS by default rather than > blocking it. > Desktop Firefox's UI to unblock mixed content is pretty hidden. There is no visual indicator in the url bar to show mixed content is blocked. To unblock it, you have to click the i icon, then an arrow, then a button. The number of disables we see is nominal, to the point that I almost want to remove the feature (https://mzl.la/2yaJrv6). One of the reasons we haven't done that is because we might want to reuse the same UI for optionally-blockable content that we start blocking. Removing the UI and then adding it back later could cause confusion. Anyway, the point is, since the web and users seem to have adapted to tolerate a web where blockable mixed content doesn't load, should we bother trying to upgrade it (and potentially dealing with script timeout issues that Kate mentioned that could prevent the rest of the page from loading)? One question, what made you change your mind about auto-upgrading? You mention some research on comparing http and https content in the proposal. Is that the motivation, or are there other factors involved? > 2. Treat optionally-blockable mixed content as blockable by default, with > an opt-in to status quo behavior. > > This sounds like a good idea, if we have some confidence that the websites that have optionally-blockable mixed content are aware of their problem. We could also consider making everything but image optionally-blockable. (In that case though, we may need to revisit some of my points under 1, as they may no longer be valid when we start inserting more content types into the blockable mixed content category.) Would trying to upgrade optionally-blockable mixed content have the same type of problems with timeouts? Perhaps an https script could be waiting for an http image to load before loading the rest of the page, but that sounds a lot more uncommon than pausing page load because of a script. > 3. Deprecate and remove `Upgrade-Insecure-Requests` in favor of the above. > > 4. Remove their user-facing blockable mixed content overrides. > This largely depends on what we decide above. Also note that on Firefox for Android, an unblock option doesn't exist. Hope to discuss more at TPAC. Thanks! ~Tanvi
Received on Friday, 27 October 2017 23:20:46 UTC