- From: Tanvi Vyas <tanvi@mozilla.com>
- Date: Tue, 20 Jan 2015 09:15:11 -0800
- To: public-webappsec@w3.org
- Message-ID: <54BE8D1F.6040808@mozilla.com>
On 1/20/15 4:05 AM, Mike West wrote: > On Tue, Jan 20, 2015 at 1:01 PM, Anne van Kesteren <annevk@annevk.nl > <mailto:annevk@annevk.nl>> wrote: > > On Tue, Jan 20, 2015 at 12:52 PM, Mike West <mkwst@google.com > <mailto:mkwst@google.com>> wrote: > > I've run with "block-all-mixed-content" instead: > > > https://github.com/w3c/webappsec/commit/d9907898755234c3d3967e56227a9fd3ab480ef3. > > Hopefully that's unambiguous. > > If there's no difference in meaning with "block-mixed-content" I'd go > with that instead and reserve "all" for ambiguous cases. > > > Hrm. *shrug* We already block "blockable" mixed content. Seems like we > need a qualifier to note that we're not only going to continue > blocking blockable mixed content, but that we're not going to give > users a choice in the matter anymore, and we're going to do the same > for "optionally blockable" mixed content. > > But, again, weak opinions, weakly held. I'll hold off on changing the > spec again just in case other folks have other opinions, but I'm not > totally averse to making the string shorter. > I think block-all is clearer, since websites are used to having mixed active content blocked. If we go with "block-mixed-content", web developers may set the directive since they think the browser already does that by default. Or they may purposefully omit it because they mistakenly think it's a way to keep their mixed active content from being blocked.
Received on Tuesday, 20 January 2015 17:15:31 UTC