W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Mark Watson <watsonm@netflix.com>
Date: Mon, 5 Jan 2015 13:51:02 -0800
Message-ID: <CAEnTvdDDMreP9Q6qvEcKyKtY3P4jTK_pV9JTmRombc9xvaoyMQ@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: Jeffrey Yasskin <jyasskin@google.com>, Tim Berners-Lee <timbl@w3.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jan 5, 2015 at 1:45 PM, Chris Palmer <palmer@google.com> wrote:

> On Mon, Jan 5, 2015 at 1:32 PM, Mark Watson <watsonm@netflix.com> wrote:
> > How about if a page could declare, in the first HTML page that is
> > downloaded, that it intends to use mixed content. In this case the UX is
> > made identical to an http page, though under the covers HTTPS is used for
> > many of the resources.
> >
> > In the case where the user explicitly typed "https://..." or clicked on
> a
> > link that was explicitly visible as https, you might want to show an
> > explicit warning. But most of the time users are just typing the domain
> > name, getting redirected from the http:// version or clicking on search
> > engine results (where visible indication of https could be suppressed for
> > such sites).
> The burden is not on users to declare they want security.
> The burden is on site operators — who at least nominally have the
> knowledge and the ability — to provide at least the bare minimum.

Sure, but ​I was addressing the question of whether there was a way to
allow mixed content without giving misleading indications to users. ​A site
that is almost entirely HTTPS, but with HTTP used to retrieve some data
resources, seems to be better than having the site entirely HTTP, no ? My
suggestion is that the appropriate UX in that case is the same as an HTTP
site, even though the security properties might be better.

My second paragraph was entirely a pre-emptive response to the point that
*some users* do explicitly ask for security - by explicitly typing HTTPS -
and so one should be careful not just to downgrade them without warning.

Received on Monday, 5 January 2015 21:51:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC