W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] Escaping mixed-content blocking for video distribution

From: Mike West <mkwst@google.com>
Date: Thu, 13 Nov 2014 11:16:26 +0100
Message-ID: <CAKXHy=cq_Fyiee0pZnpVTkMWPniRaoaaJs+g5Xf+K6agr+DG5g@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: David Dorwin <ddorwin@google.com>, Brian Smith <brian@briansmith.org>, Mark Watson <watsonm@netflix.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Nov 13, 2014 at 10:55 AM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> Are we actually blocking fetch()'s no CORS mode? Or is that allowed to
> cross the HTTPS to HTTP boundary? I guess it would have to be allowed
> otherwise using service workers would break sites that depend on HTTP
> assets, but allowing it also seems rather shitty.


It's not clear to me where we ended up in that conversation. My suggestion
was that we allow requests based on the request context: if the user agent
would block script, then block insecure script requests from a SW. If the
user agent would display images, don't block insecure image requests from a
SW.

Whether we'd degrade the UI for every page using the SW or just the page
making the insecure request is probably an open question .

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 13 November 2014 10:17:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC