W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: "Mixed Content" draft up for review.

From: Brian Smith <brian@briansmith.org>
Date: Tue, 3 Jun 2014 09:00:43 -0700
Message-ID: <CAFewVt71g9L6AMTJubHGW87L3sDvNCLm4-wA+f60sH46c0mwDg@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Ryan Sleevi <rsleevi@chromium.org>, Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>, palmer <palmer@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Tanvi Vyas <tanvi@mozilla.com>, Brad Hill <bhill@paypal.com>
On Mon, Jun 2, 2014 at 10:35 AM, Daniel Veditz <dveditz@mozilla.com> wrote:

> I think HSTS is indication that all resources, even if URL says HTTP,
>> should be accessed over HTTPS.
>>
>
> For that domain. It doesn't mean the author would never want to include
> other-domain non-SSL content. What are you going to do about the common
> case of viewing embedded images in secure GMail?


Does GMail still have mixed content due to that? See
http://gmailblog.blogspot.com/2013/12/images-now-showing.html. I think your
point still stands, but if we're going to use GMail as an example of how
websites deal with mixed content, they might be a positive example now
instead of a negative example.

Cheers,
Brian
Received on Tuesday, 3 June 2014 16:01:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC