On Tue, Jul 22, 2014 at 12:40 PM, Jake Archibald <jaffathecake@gmail.com> wrote: > Looks great to me. Hooray! > In https://w3c.github.io/webappsec/specs/mixedcontent/#category-blockable, I > don't think we need: > > * ServiceWorkers - we don't allow them on http pages & they can't be on > other origins > * Data - doesn't the CORS rule take care of this? (except WebSockets) Indeed. These are double-blocked! It's redundant, but I think dropping 'serviceworker', 'xmlhttprequest', and 'eventsource' from the "blockable" category would be more confusing than leaving them there, even though they will technically be blocked in a slightly different way than, say, 'script'. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)Received on Tuesday, 22 July 2014 10:49:47 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC