W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CfC: Mixed Content to PR; deadline July 6th.

From: Mike West <mkwst@google.com>
Date: Wed, 8 Jul 2015 16:51:30 +0200
Message-ID: <CAKXHy=ezPWG5YRzL3qxMNxN5GsvYN5YOkeL4zYEyV8fJGkvWUQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Anne van Kesteren <annevk@annevk.nl>, Ryan Sleevi <sleevi@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Kristijan Burnik <burnik@google.com>
On Tue, Jul 7, 2015 at 5:50 PM, Brian Smith <brian@briansmith.org> wrote:

>
> The last email I find on my inbox
>> regarding this subject is from Mike suggesting we do indeed want to
>> make such a change:
>> https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0323.html
>
>
> Read what Mike said again. He said that it might be something to change in
> the NEXT version of Mixed Content, not the current version. He also said
> that mixed content "fetch" is blocked in Chrome the way the current draft
> says to do things.
>

Right. My position was that browsers have agreed on a set of behavior, so
locking that in is valuable. If we wish to change the requirements based on
new features being added to the platform, we can do that in an update to
the spec.

That's what we agreed on when pushing the CR (or, it's what I thought we
agreed on).


>
>
>> Discussion in the Chromium bug database suggests much the same. And
>> it's the common understanding of everyone working on service workers
>> that service workers should have minimal side effects (and this being
>> one that's not desirable).
>>
>
> I understand that the people working on service workers try to avoid
> having service workers break things, which is a specific instance of the
> "don't break the web" idea. I agree that we should avoid service workers
> having gratuitous side effects. But, *this* group also has a principle of
> deprecating and disabling mixed content when practical (read the
> introductory text to MIX). Keep in mind that, fundamentally, the point of
> MIX is to break the "don't break the web" principle to improve security,
> and making an exception to the "service workers don't break things" is part
> of that.
>

I'm not sure I'd want to claim that MIX breaks "don't break the web". :)

-mike
Received on Wednesday, 8 July 2015 14:52:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC