Re: "Mixed Content" draft up for review.

On 6/2/14 5:35 AM, Mike West wrote:
>
>
>     "Is document a secure browsing context?" This algorithm does not seem
>     to work how you want it to work. It seems first you want to get the
>     list of inclusive ancestors of a given document's associated browsing
>     context and then verify that for all of them the associated document
>     is TLS-protected. And only at that point do you want to return true.
>
>
> Checking the top-level resource is currently all that Chrome does. 
> Hopefully Tanvi can weigh in on Mozilla's implementation.
>
> That said, I don't think we need to traverse the entire chain if each 
> resource load checks its parent. The child frames should then be 
> transitively secure.
Mozilla's implementation checks the parent rather than top.  Similar to 
this example from the spec -
|http://a.com| frames |https://b.com|, which loads |http://evil.com|. In 
this case, the insecure request to |evil.com| will be blocked, as 
|b.com| was loaded over a secure connection, even though |a.com| was not.

As Mike says, we do not need to go up through the whole chain, as child 
frames are transitively secure.

Received on Monday, 2 June 2014 21:26:43 UTC