W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CfC: Mixed Content to PR; deadline July 6th.

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 17 Jul 2015 16:44:13 +0000
Message-ID: <CAEeYn8gWzz9pUWEmL_8LVGj0ZN-rciK2G1uZe57Xefbu6s9j9w@mail.gmail.com>
To: Mike West <mkwst@google.com>, Brian Smith <brian@briansmith.org>, Alex Russell <slightlyoff@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Ryan Sleevi <sleevi@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, Kristijan Burnik <burnik@google.com>
+1

On Fri, Jul 17, 2015 at 4:45 AM Mike West <mkwst@google.com> wrote:

> I'm reliably informed that I'm simply incorrect about Chrome's behavior:
> Alex says that Flipboard is already using a Service Worker, and relies on
> the ability to cache insecure image content. That surprises me a bit, since
> the mixed content implementation in Blink doesn't have an obvious
> exclusion, but I don't doubt his claim.
>
> Nevertheless, I believe we decided in the F2F earlier this week to
> transition the document to PR as it stands, and to come back to the
> question of exclusions (both for SW and for things like EME) in a "Level 2"
> document (Brad, Wendy, does that match your recollection?).
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Wed, Jul 8, 2015 at 8:52 PM, Brian Smith <brian@briansmith.org> wrote:
>
>> Brian Smith <brian@briansmith.org> wrote:
>>
>>> Read what Mike said again. He said that it might be something to change
>>> in the NEXT version of Mixed Content, not the current version. He also said
>>> that mixed content "fetch" is blocked in Chrome the way the current draft
>>> says to do things.
>>>
>>
>> Reading the source code for the Mozilla Firefox browser [1], I see that
>> Firefox has also explicitly chosen to block mixed-content 'fetch'.
>>
>> (I also saw that it is mistakenly not blocking mixed content 'beacon' and
>> 'ping'. I filed bug
>>
>> [1]
>> https://dxr.mozilla.org/mozilla-central/source/dom/security/nsMixedContentBlocker.cpp#423
>> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1181683
>>
>
>
Received on Friday, 17 July 2015 16:44:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC