W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] Escaping mixed-content blocking for video distribution

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 13 Nov 2014 10:55:37 +0100
Message-ID: <CADnb78ibuVNGG2Zi=LQ52yXikdi2_VP5xkzRc5JyxKnh0ShyHA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: David Dorwin <ddorwin@google.com>, Brian Smith <brian@briansmith.org>, Mark Watson <watsonm@netflix.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Nov 13, 2014 at 10:50 AM, Mike West <mkwst@google.com> wrote:
> But if offering such a thing lead to Netflix and other media providers
> migrating everything but video distribution over to HTTPS, and allows us to
> lock down APIs with dangerous characteristics (like EME and WebCrypto) to a
> document whose ancestor chain is all HTTPS, then it's probably worth
> considering, at least in the short run.

Are we actually blocking fetch()'s no CORS mode? Or is that allowed to
cross the HTTPS to HTTP boundary? I guess it would have to be allowed
otherwise using service workers would break sites that depend on HTTP
assets, but allowing it also seems rather shitty.

Received on Thursday, 13 November 2014 09:56:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC