- From: Mike West <mkwst@google.com>
- Date: Thu, 23 Oct 2014 15:32:48 +0200
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAKXHy=cDk=rJd7X6wWrbA+wD=0+oj+WKG5sX0NkXY1O6ngPsTQ@mail.gmail.com>
Chrome simply refuses to connect to anything it considers weak or deprecated, which simplifies the mixed content logic dramatically. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Thu, Oct 23, 2014 at 3:31 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, Oct 23, 2014 at 2:00 PM, Mike West <mkwst@google.com> wrote: > > Yeah. We can improve the wording of the latter definition. I think you > can > > safely s/An[sic] resource's/A/ without losing any meaning, though. > > Except that the bits about TLS no longer make sense... > > > > That said, it's a bit hand-wavy in general due to the "weak" and > > "deprecated" bits. The _origin_ isn't really enough to make those > > judgements, as they require the TLS handshake to complete so that the > user > > agent can evaluate the ciphers that were agreed-upon. > > > > We should probably be talking about a different concept here, but it's > not > > clear to me what fits. Suggestions welcome. > > As I said in another thread, at the point of creating various objects > and setting their origins, e.g. documents, we should probably add > additional data. It might make sense to study Chrome's implementation > to see what specifications we should modify (given that the > architecture is reasonable and not a hack). > > > -- > https://annevankesteren.nl/ >
Received on Thursday, 23 October 2014 13:33:37 UTC