Re: Mixed content warnings for cross-site requests

Thomas Roessler wrote:
> On 2008-02-26 02:16:50 -0800, Jonas Sicking wrote:
> 
>> I think in general a UA should warn the user that a connection is
>> about to be made over a non-https connection and give the user
>> the option to abort the request.
> 
> There's a reason why these kinds of dialogues are called "idiot
> boxes" by folks in the usability community.  Before recommending any
> particular UI behavior in terms of security warnings, please talk to
> the people in the Web Security Context WG about that.

Well the option i was talking about above doesn't need to be popup, but 
could be a whitelist/blacklist/asklist in the prefs for the browser. But 
yes, this group is not the place to design this.

>> Not sure if this needs to be mentioned in the access-control
>> spec, but it doesn't hurt I suppose. In general I don't think
>> these requests should be treated any differently from any other
>> requests though.
> 
> It actually does hurt (for various reasons), and talking about user
> interactions for mixed content *is* on the WSC WG's plate.

Well, what I think the spec might want to say is basically "the UA 
should follow whatever guidelines it uses for other requests". We should 
definitely not mandate any particular behavior.

But I'd be fine with staying silent on the issue too. I generally think 
this is a UA question as far as this spec goes.

/ Jonas

Received on Tuesday, 26 February 2008 11:06:36 UTC