W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Strict mixed content checking (was Re: MIX: Exiting last call?)

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Tue, 20 Jan 2015 09:15:11 -0800
Message-ID: <54BE8D1F.6040808@mozilla.com>
To: public-webappsec@w3.org
On 1/20/15 4:05 AM, Mike West wrote:
> On Tue, Jan 20, 2015 at 1:01 PM, Anne van Kesteren <annevk@annevk.nl 
> <mailto:annevk@annevk.nl>> wrote:
>
>     On Tue, Jan 20, 2015 at 12:52 PM, Mike West <mkwst@google.com
>     <mailto:mkwst@google.com>> wrote:
>     > I've run with "block-all-mixed-content" instead:
>     >
>     https://github.com/w3c/webappsec/commit/d9907898755234c3d3967e56227a9fd3ab480ef3.
>     > Hopefully that's unambiguous.
>
>     If there's no difference in meaning with "block-mixed-content" I'd go
>     with that instead and reserve "all" for ambiguous cases.
>
>
> Hrm. *shrug* We already block "blockable" mixed content. Seems like we 
> need a qualifier to note that we're not only going to continue 
> blocking blockable mixed content, but that we're not going to give 
> users a choice in the matter anymore, and we're going to do the same 
> for "optionally blockable" mixed content.
>
> But, again, weak opinions, weakly held. I'll hold off on changing the 
> spec again just in case other folks have other opinions, but I'm not 
> totally averse to making the string shorter.
>
I think block-all is clearer, since websites are used to having mixed 
active content blocked.  If we go with "block-mixed-content", web 
developers may set the directive since they think the browser already 
does that by default.  Or they may purposefully omit it because they 
mistakenly think it's a way to keep their mixed active content from 
being blocked.
Received on Tuesday, 20 January 2015 17:15:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC