- From: Chris Palmer <palmer@google.com>
- Date: Mon, 5 Jan 2015 11:52:38 -0800
- To: Jeffrey Yasskin <jyasskin@google.com>
- Cc: Tim Berners-Lee <timbl@w3.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 10:24 AM, Jeffrey Yasskin <jyasskin@google.com> wrote: > To get the discussion on the same page, I'd like to make the strawman > proposal: > > The fetch() API should provide some flag that explicitly skips the > mixed-content checks (https://fetch.spec.whatwg.org/#concept-fetch). > Possibly this flag should only work when the environment's CSP is > "sufficiently" restrictive. The Response object should expose its associated > TLS state. > > The concerns about tampering with pure data that Daniel, Martin, and other > have expressed are real, so I'm not sure I support my strawman, but I think > it's at least plausible. > > My biggest question about this is "how do we communicate it to users?" HTTPS > and the green lock icon currently mean that the connection is authenticated, > has integrity, and is confidential. A fetch() that skips mixed-content is > definitely not confidential, and probably doesn't have authentication or > integrity. Is the current passive-mixed-content indicator enough for this? We must start with the story about how we'll communicate it to users. Without that, we go off the rails immediately. And, I don't think we can really afford to add more nuance and distinctions in the already-too-complicated security UX in browsers.
Received on Monday, 5 January 2015 19:53:06 UTC