- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 5 Mar 2013 16:50:56 -0800
- To: Neil Matatall <neilm@twitter.com>
- Cc: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Does anyone object to making this change to the spec? If not, I'll put it in my queue of edits to make. Adam On Tue, Feb 12, 2013 at 2:08 PM, Neil Matatall <neilm@twitter.com> wrote: > That works for me. > > On Tue, Feb 12, 2013 at 1:50 PM, Daniel Veditz <dveditz@mozilla.com> wrote: >> On 2/5/2013 11:01 AM, Neil Matatall wrote: >>> >>> "no-mixed-content": on; works for me >> >> >> I find this to be ugly cruft. Mixed content is a known-bad pattern and if >> you've opted into a security regime we should assume you do not want that >> unless you say otherwise. If you don't specify a scheme then a host name >> should be treated as the same scheme as the document itself. If you're an >> SSL document and you want to load something insecurely you should explicitly >> do so by specifying http://host >> >> To encourage the use of SSL we could say that if the original document is >> not secure then an unspecified scheme could match either http or https. Any >> other scheme is uncommon on the web and should require the web site to >> explicitly allow (if they are using any of the content-blocking directives). >> >> -Dan Veditz >
Received on Wednesday, 6 March 2013 00:51:56 UTC