W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CfC: Mixed Content to PR; deadline July 6th.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 28 Jul 2015 19:36:48 +0200
Message-ID: <CADnb78in+89ty+-NxE_Zyn1DJcoCioR3MDJqZrPFcNLwjZV0MQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Mike West <mkwst@google.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Dan Veditz <dveditz@mozilla.com>, Kristijan Burnik <burnik@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Alex Russell <slightlyoff@google.com>, Ryan Sleevi <sleevi@google.com>
On Tue, Jul 28, 2015 at 7:24 PM, Brian Smith <brian@briansmith.org> wrote:
> In particular, it is unclear to me what prevents a service worker from
> returning a response retrieved over http:// in response to an https://
> request.

That would be Mixed Content (and I suppose it won't always disallow that).

> Is that specified in the service workers spec, the fetch spec, or
> this spec? Where in which spec?

In general security checks for requests and responses are in Fetch,
which calls out to various algorithms in CSP (yet to be written),
HSTS, Mixed Content, Referrer Policy, Integrity, ...

Received on Tuesday, 28 July 2015 17:37:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC