- From: Mike West <mkwst@google.com>
- Date: Tue, 10 Jun 2014 16:12:00 +0200
- To: Brian Smith <brian@briansmith.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Tanvi Vyas <tanvi@mozilla.com>, Brad Hill <bhill@paypal.com>, Dan Veditz <dveditz@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>
- Message-ID: <CAKXHy=drX3mvNihiPuZo8riW=pJCrX+0kssi9RFz5NjMuGj=1Q@mail.gmail.com>
Thanks Brian, I think your points make a lot of sense. I'm trimming this down to focus on the big picture; if I miss something, let me know. On Tue, Jun 10, 2014 at 12:34 AM, Brian Smith <brian@briansmith.org> wrote: > I agree the document must say which types of content must be blocked and > which types of content should be blocked but may be loaded due to > compatibility reasons. What I am saying is that a lot of the reasoning > behind the taxonomy, and part of the taxonomy itself, is irrelevant. > I agree with you that we shouldn't focus on the categories, and I agree with you that the current structure of the document probably makes them seem more important than they ought to be. I'll work on that when I can grab some time. I'm not entirely convinced that removing the "active" and "passive" definitions from the doc is the right thing to do. Given how widely used those terms are when discussing mixed content on the web, it would be nice to have normative definitions folks can refer to. I'll try to rework this section to define the terms, but not put more emphasis on the categories than they deserve. > (Looking at what Firefox does now, I see we've already made a mistake in > not blocking mixed-content sendBeacon and mixed-content <a ping>, and I'll > file a bug to fix that.) > Yeah, now that you mention it, it's broken in Chrome too. https://codereview.chromium.org/324013003/ is up for review. > I mostly agree with you, but I think it is more important for us to > document what we agree to block already ASAP than it is to document > everything at once. Whether or not we can strip cookies from mixed-content > images and whatnot is something that needs to be implemented and thoroughly > tested, and I think that means it is likely to be too far off in the future > to be in the first version of this document. > I think that's pretty reasonable. The current document has a "User agents MAY screw with mixed content requests however they like." clause (#4 in section 4.1 <http://w3c.github.io/webappsec/specs/mixedcontent/#requirements-fetching>); I think that's probably enough for this version of the doc. It gives browsers room to experiment, and we can come back to the WG with experiences to share. WDYT? -mike
Received on Tuesday, 10 June 2014 14:12:47 UTC