W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CfC: Mixed Content to PR; deadline July 6th.

From: Mike West <mkwst@google.com>
Date: Fri, 17 Jul 2015 13:44:44 +0200
Message-ID: <CAKXHy=eC_uaGq_LmCNXD4Q5dbotoLibfRUU_TVNwTkM+FtiudQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>, Alex Russell <slightlyoff@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Ryan Sleevi <sleevi@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Kristijan Burnik <burnik@google.com>
I'm reliably informed that I'm simply incorrect about Chrome's behavior:
Alex says that Flipboard is already using a Service Worker, and relies on
the ability to cache insecure image content. That surprises me a bit, since
the mixed content implementation in Blink doesn't have an obvious
exclusion, but I don't doubt his claim.

Nevertheless, I believe we decided in the F2F earlier this week to
transition the document to PR as it stands, and to come back to the
question of exclusions (both for SW and for things like EME) in a "Level 2"
document (Brad, Wendy, does that match your recollection?).


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Wed, Jul 8, 2015 at 8:52 PM, Brian Smith <brian@briansmith.org> wrote:

> Brian Smith <brian@briansmith.org> wrote:
>> Read what Mike said again. He said that it might be something to change
>> in the NEXT version of Mixed Content, not the current version. He also said
>> that mixed content "fetch" is blocked in Chrome the way the current draft
>> says to do things.
> Reading the source code for the Mozilla Firefox browser [1], I see that
> Firefox has also explicitly chosen to block mixed-content 'fetch'.
> (I also saw that it is mistakenly not blocking mixed content 'beacon' and
> 'ping'. I filed bug
> [1]
> https://dxr.mozilla.org/mozilla-central/source/dom/security/nsMixedContentBlocker.cpp#423
> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1181683
Received on Friday, 17 July 2015 11:45:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC