W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] Escaping mixed-content blocking for video distribution

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 13 Nov 2014 10:55:37 +0100
Message-ID: <CADnb78ibuVNGG2Zi=LQ52yXikdi2_VP5xkzRc5JyxKnh0ShyHA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: David Dorwin <ddorwin@google.com>, Brian Smith <brian@briansmith.org>, Mark Watson <watsonm@netflix.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Nov 13, 2014 at 10:50 AM, Mike West <mkwst@google.com> wrote:
> But if offering such a thing lead to Netflix and other media providers
> migrating everything but video distribution over to HTTPS, and allows us to
> lock down APIs with dangerous characteristics (like EME and WebCrypto) to a
> document whose ancestor chain is all HTTPS, then it's probably worth
> considering, at least in the short run.

Are we actually blocking fetch()'s no CORS mode? Or is that allowed to
cross the HTTPS to HTTP boundary? I guess it would have to be allowed
otherwise using service workers would break sites that depend on HTTP
assets, but allowing it also seems rather shitty.


-- 
https://annevankesteren.nl/
Received on Thursday, 13 November 2014 09:56:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC