Re: Comments on Mixed Content from Chris Palmer on 2014-12-11 (public-webappsec@w3.org from December 2014)

From: Chris Palmer <palmer@google.com>
Date: Wed, 10 Dec 2014 16:43:36 -0800
To: David Walp <David.Walp@microsoft.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOuvq20LMrRZmXr6Xyg-R7_4egCvY-geXXyJdfLaZGvphyaSpw@mail.gmail.com>

On Wed, Dec 10, 2014 at 2:32 PM, David Walp <David.Walp@microsoft.com> wrote:

> 1) Section 2.2, TLS-protected & Weakly TLS-protected (and throughout the
> spec).
>
> There appears to be an assumption the only environment is the internet and
> that intranet environments are not addressed.   We think this would be
> addressed by adding wording in section 2.2 that stated User agents are free
> to interpret protection with in a trusted environment.

How should a UA programmatically and unambiguously determine that the
page's origin is served from an intranet server?

What about passive and active attackers on the intranet?

Why create ambiguity in the user's overall browsing experience?

Why create an affordance for not fixing mixed content bugs?

Received on Thursday, 11 December 2014 00:44:03 UTC