W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CfC: Mixed Content to PR; deadline July 6th.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 30 Jul 2015 10:24:32 +0200
Message-ID: <CADnb78i22gG5oi4bdn6rawORnp3aWM4DTB1yK_gtFMUC3DzjMA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brian Smith <brian@briansmith.org>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Dan Veditz <dveditz@mozilla.com>, Kristijan Burnik <burnik@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Alex Russell <slightlyoff@google.com>, Ryan Sleevi <sleevi@google.com>
On Thu, Jul 30, 2015 at 9:59 AM, Mike West <mkwst@google.com> wrote:
> Anne: I'm not sure what you meant by "I suppose it won't always disallow
> that". When would we want to allow insecure responses to secure requests? I
> don't think that's something we've discussed, nor is it something I think is
> terribly appealing.

If you have

  <img src=https://example.com/x>

and the service worker replies with

  e.respondWith(fetch("http://unsafe.example/x", {mode:"no-cors"}))

there's nothing really that prevents that. There's also nothing that
prevents the service worker from writing out that document as

  <img src=http://unsafe.example/x>

in the first place so I don't think it matters much.

Received on Thursday, 30 July 2015 08:24:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC