Re: [MIX]: Move specifics to a non-normative section/document? (Re: "Mixed Content" draft up for review.) from Mike West on 2014-06-10 (public-webappsec@w3.org from June 2014)

From: Mike West <mkwst@google.com>
Date: Tue, 10 Jun 2014 16:12:00 +0200
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Tanvi Vyas <tanvi@mozilla.com>, Brad Hill <bhill@paypal.com>, Dan Veditz <dveditz@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CAKXHy=drX3mvNihiPuZo8riW=pJCrX+0kssi9RFz5NjMuGj=1Q@mail.gmail.com>

Thanks Brian, I think your points make a lot of sense. I'm trimming this
down to focus on the big picture; if I miss something, let me know.

On Tue, Jun 10, 2014 at 12:34 AM, Brian Smith <brian@briansmith.org> wrote:

> I agree the document must say which types of content must be blocked and
> which types of content should be blocked but may be loaded due to
> compatibility reasons. What I am saying is that a lot of the reasoning
> behind the taxonomy, and part of the taxonomy itself, is irrelevant.
>

I agree with you that we shouldn't focus on the categories, and I agree
with you that the current structure of the document probably makes them
seem more important than they ought to be. I'll work on that when I can
grab some time.

I'm not entirely convinced that removing the "active" and "passive"
definitions from the doc is the right thing to do. Given how widely used
those terms are when discussing mixed content on the web, it would be nice
to have normative definitions folks can refer to.

I'll try to rework this section to define the terms, but not put more
emphasis on the categories than they deserve.

> (Looking at what Firefox does now, I see we've already made a mistake in
> not blocking mixed-content sendBeacon and mixed-content <a ping>, and I'll
> file a bug to fix that.)
>

Yeah, now that you mention it, it's broken in Chrome too.
https://codereview.chromium.org/324013003/ is up for review.

>  I mostly agree with you, but I think it is more important for us to
> document what we agree to block already ASAP than it is to document
> everything at once. Whether or not we can strip cookies from mixed-content
> images and whatnot is something that needs to be implemented and thoroughly
> tested, and I think that means it is likely to be too far off in the future
> to be in the first version of this document.
>

I think that's pretty reasonable. The current document has a "User agents
MAY screw with mixed content requests however they like." clause (#4 in section
4.1
<http://w3c.github.io/webappsec/specs/mixedcontent/#requirements-fetching>);
I think that's probably enough for this version of the doc. It gives
browsers room to experiment, and we can come back to the WG with
experiences to share.

WDYT?

-mike

Received on Tuesday, 10 June 2014 14:12:47 UTC