- From: Mike West <mkwst@google.com>
- Date: Fri, 16 Jan 2015 06:22:57 +0100
- To: Tanvi Vyas <tanvi@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=fYNx0f_zvSapuVP-UGiCuCvoPXy8Kv9JUb_WbnYZ+fZw@mail.gmail.com>
On Thu, Jan 15, 2015 at 11:39 PM, Tanvi Vyas <tanvi@mozilla.com> wrote: > Pulling out the section on plugin data. Right now, the spec treats > subrequests initiated by plugins as optionally blockable. > The spec actually considers them "blockable", similar to XHR (see https://w3c.github.io/webappsec/specs/mixedcontent/#category-optionally-blockable; plugin data requests should be tagged with a request context of "plugin", which isn't listed as one of the optionally blockable contexts). > Such requests might be for script subresources or they might be for image > subresources, but either way they are categorized as optionally blockable. > Since the plugin is the one requesting the resource, it is hard for the > user agent to tell if the request is for content that should be > blockable[1]. In order to avoid blocking optionally blockable content, > user agents have categorized this as optionally blockable even though some > of the content warrants blocking. > I don't have a solid timeline yet (waiting on numbers), but Chrome's intent is to begin blocking all insecure plugin requests At Some Point In The Relatively Near Future™. We can do this for PPAPI, as it uses our network stack. We can't do it for NPAPI, but we're addressing that in other ways. > As Mike has suggested below, should we add requirements for plugins? We > could add text that says plugins must not request blockable content in a > secure context. > I'm happy to add some text somewhere to that effect. It's not clear to me that plugin vendors will particularly care about being compliant, but we can ask nicely. :) -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 16 January 2015 05:23:45 UTC