W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: "Mixed Content" draft up for review.

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 2 Jun 2014 11:08:21 -0700
Message-ID: <CAPfop_0M50ocp+6U0UHAE32RCx4DUV3Vq7O+P1J-JDLNreLKPg@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Ryan Sleevi <rsleevi@chromium.org>, Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>, palmer <palmer@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Tanvi Vyas <tanvi@mozilla.com>, Brad Hill <bhill@paypal.com>
> For that domain. It doesn't mean the author would never want to include
> other-domain non-SSL content. What are you going to do about the common case
> of viewing embedded images in secure GMail?

yeah absolutely we should show a warning or block that content. I am
not arguing against that: I am only talking about the case where due
to HSTS, no insecure content is ever loaded on the page.

> I agree, there's no point warning the user about something that hasn't
> happened. We should still spit out a message on the console, of course.

Exactly---I view "message on console" as "warn the developer/author"
and showing security UI as "warn the user". In general, conserving
user attention and reducing warnings is something I am a big fan of.

Even if Chrome does show a warning right now, I am not sure what we
get by mandating this in the spec.

Received on Monday, 2 June 2014 18:09:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC