W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [MIX] Initial feedback on Mixed Content

From: Jake Archibald <jakearchibald@google.com>
Date: Fri, 14 Nov 2014 15:48:13 +0000
Message-ID: <CAPy=JorDJzUc=9NfL83pgpObv+SA0Sh804Oi8BOU+Bw_odko9Q@mail.gmail.com>
To: Mike West <mkwst@google.com>, Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri Nov 14 2014 at 11:10:13 Mike West <mkwst@google.com> wrote:
>
> To fix this, I suggest adding an additional step along the lines of
>> "If any service worker was registered, then return blocked" before "If
>> request’s mode is CORS or CORS-with-forced-preflight, return blocked."
>>
>
> If a website can request a particular video/audio/image, then it's not
> clear that a Service Worker shouldn't be able to do the same (with UI
> degradation, as appropriate). Jake (CC'd) has harangued me with the example
> of a podcasting app, for instance: it's absolutely something we'd want to
> see work offline, and the <audio> tag is perfectly capable of playing back
> insecure content.
>
> Should we block Service Worker from doing the same? I don't think that's
> as clear-cut as you suggest.
>

Also, one of the bad things about appcache is a valid but otherwise empty
manifest makes massive changes to the behaviour of the page. No
subresources will load, and the page pointing to the manifest will be
cached. This is terrible & we want to avoid doing the same with
ServiceWorker, an empty-but-valid ServiceWorker should have no impact on
the loading of the page and resources.

>
Received on Friday, 14 November 2014 15:48:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC