W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CfC: Mixed Content to PR; deadline July 6th.

From: Brian Smith <brian@briansmith.org>
Date: Sun, 19 Jul 2015 15:58:27 -0400
Message-ID: <CAFewVt57mHLQSsyZ8tq5Vy+CnxfAriH+GMTSuy22YuM2irs8yg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Dan Veditz <dveditz@mozilla.com>, Kristijan Burnik <burnik@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Alex Russell <slightlyoff@google.com>, Ryan Sleevi <sleevi@google.com>
Anne van Kesteren wrote:

> Mi ke West wrote:

> (Note also that in my ever so brief (and probably incompetent)
> > experimentation, I'm getting mixed content errors when doing anything
> other
> > than a passthrough fetch for insecure content. Maybe I misunderstood
> Alex,
> > or he misunderstood me?)
>
> If by passthrough you mean fetch(event.request) that'd make sense to me.
>

I think that that is a compromise worth considering: Allow mixed-content
fetch in a service worker only if the fetch is forwarding a request
generated from the browser's normal fetching of a <img>, <video>, or
<audio> source, and otherwise block it.

IMO, it doesn't make sense to advance this document to PR if it describes
something where there is not agreement and that people don't intend to
implement. I wish people agreed with what the spec says, but specs are not
supposed to be wishful thinking. I think pushing the current document
forward is likely to result in worse (less strict) mixed content blocking
in real implementations than if we took the time to properly resolve the
issue.

Cheers,
Brian
--
https://briansmith.org/
Received on Sunday, 19 July 2015 19:58:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC