- From: Tanvi Vyas <tanvi@mozilla.com>
- Date: Fri, 26 Sep 2014 12:24:20 -0700
- To: Ryan Sleevi <sleevi@google.com>, Mike West <mkwst@google.com>
- CC: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
On 9/26/14 12:07 PM, Tanvi Vyas wrote: > Not quite. Mozilla also does Mixed Content detection/blocking before > HSTS. On an https page an active http subresource load is be blocked > by the Mixed Content Blocker, even if the subresource is on an HSTS > page. We don't plan to change this behavior right now, but will > definitely revisit it as we get closer . > Correction... We don't plan to change this behavior right now. The last fragment was meant to be part of the next statement. > There is a project[1] in progress that could have a side effect of > changing this so that HSTS redirects happen before Mixed Content > Blocker. We haven't discussed how we want to handle this yet, but > will as we get closer to that part of the implementation. > > [1] https://wiki.mozilla.org/Security/Features/Revamp_Security_Hooks
Received on Friday, 26 September 2014 19:24:48 UTC