- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 12 Feb 2013 13:50:06 -0800
- To: Neil Matatall <neilm@twitter.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2/5/2013 11:01 AM, Neil Matatall wrote: > "no-mixed-content": on; works for me I find this to be ugly cruft. Mixed content is a known-bad pattern and if you've opted into a security regime we should assume you do not want that unless you say otherwise. If you don't specify a scheme then a host name should be treated as the same scheme as the document itself. If you're an SSL document and you want to load something insecurely you should explicitly do so by specifying http://host To encourage the use of SSL we could say that if the original document is not secure then an unspecified scheme could match either http or https. Any other scheme is uncommon on the web and should require the web site to explicitly allow (if they are using any of the content-blocking directives). -Dan Veditz
Received on Tuesday, 12 February 2013 21:50:37 UTC