Re: [MIX] Consider all CORS requests "active"

On 22 July 2014 08:00, Brian Smith <brian@briansmith.org> wrote:

> >n Fri, Jul 11, 2014 at 3:21 AM, Jake Archibald <jaffathecake@gmail.com>
> wrote:
> > Mixed content will be opaque (like all responses to no-cors requests),
> it's
> > down to the eventual consumer (<img>, <script>, @font-face etc) whether
> to
> > block or allow.
>
> Why? I think it is not worth supporting the edge case of a site that
> has passive mixed content AND is progressive enough to be using
> ServiceWorker AND is unwilling/unable to get rid of the passive mixed
> content fixed. If nothing else, the security analysis of
> ServiceWorkers is a lot clearer if mixed content doesn't have to be
> considered.


ServiceWorker already has to deal with opaque responses for cross-origin
no-cors responses. MIX already has to deal with blocking cors requests to
http for <img crossorigin>, <link crossorigin> & XHR. Special-casing pages
with a serviceworker is adding complication.

An empty serviceworker should not alter page behaviour.

Received on Tuesday, 22 July 2014 09:28:54 UTC