Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do. from Chris Palmer on 2015-01-05 (public-webappsec@w3.org from January 2015)

From: Chris Palmer <palmer@google.com>
Date: Mon, 5 Jan 2015 13:45:59 -0800
To: Mark Watson <watsonm@netflix.com>
Cc: Jeffrey Yasskin <jyasskin@google.com>, Tim Berners-Lee <timbl@w3.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOuvq23=R+7ZTty8Z0=vLy2WPmz4WQJZJ2V-vtO6dFC=z=UZYA@mail.gmail.com>

On Mon, Jan 5, 2015 at 1:32 PM, Mark Watson <watsonm@netflix.com> wrote:

> How about if a page could declare, in the first HTML page that is
> downloaded, that it intends to use mixed content. In this case the UX is
> made identical to an http page, though under the covers HTTPS is used for
> many of the resources.
>
> In the case where the user explicitly typed "https://..." or clicked on a
> link that was explicitly visible as https, you might want to show an
> explicit warning. But most of the time users are just typing the domain
> name, getting redirected from the http:// version or clicking on search
> engine results (where visible indication of https could be suppressed for
> such sites).

The burden is not on users to declare they want security.

The burden is on site operators — who at least nominally have the
knowledge and the ability — to provide at least the bare minimum.

Received on Monday, 5 January 2015 21:46:26 UTC