Re: "Mixed Content" draft up for review. from Brian Smith on 2014-06-03 (public-webappsec@w3.org from June 2014)

From: Brian Smith <brian@briansmith.org>
Date: Tue, 3 Jun 2014 09:00:43 -0700
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Ryan Sleevi <rsleevi@chromium.org>, Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>, palmer <palmer@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Tanvi Vyas <tanvi@mozilla.com>, Brad Hill <bhill@paypal.com>
Message-ID: <CAFewVt71g9L6AMTJubHGW87L3sDvNCLm4-wA+f60sH46c0mwDg@mail.gmail.com>

On Mon, Jun 2, 2014 at 10:35 AM, Daniel Veditz <dveditz@mozilla.com> wrote:

> I think HSTS is indication that all resources, even if URL says HTTP,
>> should be accessed over HTTPS.
>>
>
> For that domain. It doesn't mean the author would never want to include
> other-domain non-SSL content. What are you going to do about the common
> case of viewing embedded images in secure GMail?

Does GMail still have mixed content due to that? See
http://gmailblog.blogspot.com/2013/12/images-now-showing.html. I think your
point still stands, but if we're going to use GMail as an example of how
websites deal with mixed content, they might be a positive example now
instead of a negative example.

Cheers,
Brian

Received on Tuesday, 3 June 2014 16:01:14 UTC