W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CfC: Mixed Content to PR; deadline July 6th.

From: Brian Smith <brian@briansmith.org>
Date: Tue, 7 Jul 2015 11:50:33 -0400
Message-ID: <CAFewVt5iOx6BewjsKFAZx5uCzE=TeUibVPzkSAs-_UU22BSX4w@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Ryan Sleevi <sleevi@google.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Kristijan Burnik <burnik@google.com>
On Tue, Jul 7, 2015 at 11:40 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Jul 7, 2015 at 5:24 PM, Brian Smith <brian@briansmith.org> wrote:
> > It's not a bug, it is what was agreed to by the group. We debated it to
> > death months ago and it was one of the last issues resolved before the
> spec
> > moved to CR status. I specifically called out the issue at that time so
> that
> > people could object, and the issue was resolved in favor of the current
> spec
> > text.
>
> Please provide a reference.


https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0307.html
https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0308.html


> The last email I find on my inbox
> regarding this subject is from Mike suggesting we do indeed want to
> make such a change:
> https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0323.html


Read what Mike said again. He said that it might be something to change in
the NEXT version of Mixed Content, not the current version. He also said
that mixed content "fetch" is blocked in Chrome the way the current draft
says to do things.


> Discussion in the Chromium bug database suggests much the same. And
> it's the common understanding of everyone working on service workers
> that service workers should have minimal side effects (and this being
> one that's not desirable).
>

I understand that the people working on service workers try to avoid having
service workers break things, which is a specific instance of the "don't
break the web" idea. I agree that we should avoid service workers having
gratuitous side effects. But, *this* group also has a principle of
deprecating and disabling mixed content when practical (read the
introductory text to MIX). Keep in mind that, fundamentally, the point of
MIX is to break the "don't break the web" principle to improve security,
and making an exception to the "service workers don't break things" is part
of that.

Cheers,
Brian
Received on Tuesday, 7 July 2015 15:51:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC