Re: [MIX] Consider all CORS requests "active" from Jake Archibald on 2014-07-22 (public-webappsec@w3.org from July 2014)

From: Jake Archibald <jaffathecake@gmail.com>
Date: Tue, 22 Jul 2014 10:28:27 +0100
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAJ5xic_tSWOh1VkO8=gELu5htqgZpbcJdWjUUChR9beC+58d+g@mail.gmail.com>

On 22 July 2014 08:00, Brian Smith <brian@briansmith.org> wrote:

> >n Fri, Jul 11, 2014 at 3:21 AM, Jake Archibald <jaffathecake@gmail.com>
> wrote:
> > Mixed content will be opaque (like all responses to no-cors requests),
> it's
> > down to the eventual consumer (<img>, <script>, @font-face etc) whether
> to
> > block or allow.
>
> Why? I think it is not worth supporting the edge case of a site that
> has passive mixed content AND is progressive enough to be using
> ServiceWorker AND is unwilling/unable to get rid of the passive mixed
> content fixed. If nothing else, the security analysis of
> ServiceWorkers is a lot clearer if mixed content doesn't have to be
> considered.

ServiceWorker already has to deal with opaque responses for cross-origin
no-cors responses. MIX already has to deal with blocking cors requests to
http for <img crossorigin>, <link crossorigin> & XHR. Special-casing pages
with a serviceworker is adding complication.

An empty serviceworker should not alter page behaviour.

Received on Tuesday, 22 July 2014 09:28:54 UTC