On Mon, Jan 5, 2015 at 1:45 PM, Chris Palmer <palmer@google.com> wrote:
> On Mon, Jan 5, 2015 at 1:32 PM, Mark Watson <watsonm@netflix.com> wrote:
>
> > How about if a page could declare, in the first HTML page that is
> > downloaded, that it intends to use mixed content. In this case the UX is
> > made identical to an http page, though under the covers HTTPS is used for
> > many of the resources.
> >
> > In the case where the user explicitly typed "https://..." or clicked on
> a
> > link that was explicitly visible as https, you might want to show an
> > explicit warning. But most of the time users are just typing the domain
> > name, getting redirected from the http:// version or clicking on search
> > engine results (where visible indication of https could be suppressed for
> > such sites).
>
> The burden is not on users to declare they want security.
>
> The burden is on site operators — who at least nominally have the
> knowledge and the ability — to provide at least the bare minimum.
>
Sure, but I was addressing the question of whether there was a way to
allow mixed content without giving misleading indications to users. A site
that is almost entirely HTTPS, but with HTTP used to retrieve some data
resources, seems to be better than having the site entirely HTTP, no ? My
suggestion is that the appropriate UX in that case is the same as an HTTP
site, even though the security properties might be better.
My second paragraph was entirely a pre-emptive response to the point that
*some users* do explicitly ask for security - by explicitly typing HTTPS -
and so one should be careful not just to downgrade them without warning.
...Mark