- From: Chris Palmer <palmer@google.com>
- Date: Fri, 13 Jun 2014 09:10:35 -0700
- To: Brian Smith <brian@briansmith.org>
- Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Tanvi Vyas <tanvi@mozilla.com>, Brad Hill <bhill@paypal.com>, Dan Veditz <dveditz@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>
On Thu, Jun 12, 2014 at 5:29 PM, Brian Smith <brian@briansmith.org> wrote: > You and I already seem to agree that BEACON and <a ping> should be blocked > and I haven't heard anybody suggest otherwise, so let's remove them from the > list. Now, I would guess that there is not much existing <track> or > <picture>/<srcset> content either, so I think we could probably block those > now without any significant compatibility impact. And, I wouldn't be > surprised if we were to find that there is very little <audio> mixed content > either. So, why not just start blocking all of those right away too? I would like that. > Then, potentially the only things that wouldn't be blocked by default would > be <img> and <video>. If that were to become the case soon, and we also > agree we're going to block all new kinds of mixed content by default, then > the old active vs. passive distinction would be more confusing than helpful, > since it would have basically no relation to how we ultimately decide why > mixed content <img> and <video> are not blocked but other kinds of mixed > content (even things that have the same security considerations like > <picture>) are blocked. I think active vs. passive is still meaningful, and although somewhat confusing, the "legacy vs. new" distinction would/should/could go a long way toward explaining the discrepancy. (He said, as a "relentlessly optimistic" USA-ian)
Received on Friday, 13 June 2014 16:11:02 UTC