- From: Neil Matatall <neilm@twitter.com>
- Date: Tue, 12 Feb 2013 14:08:28 -0800
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
That works for me. On Tue, Feb 12, 2013 at 1:50 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 2/5/2013 11:01 AM, Neil Matatall wrote: >> >> "no-mixed-content": on; works for me > > > I find this to be ugly cruft. Mixed content is a known-bad pattern and if > you've opted into a security regime we should assume you do not want that > unless you say otherwise. If you don't specify a scheme then a host name > should be treated as the same scheme as the document itself. If you're an > SSL document and you want to load something insecurely you should explicitly > do so by specifying http://host > > To encourage the use of SSL we could say that if the original document is > not secure then an unspecified scheme could match either http or https. Any > other scheme is uncommon on the web and should require the web site to > explicitly allow (if they are using any of the content-blocking directives). > > -Dan Veditz
Received on Tuesday, 12 February 2013 22:08:56 UTC