W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: [UPGRADE] Consider plan B for reduced complexity?

From: Mike West <mkwst@google.com>
Date: Tue, 17 Mar 2015 18:00:03 +0100
Message-ID: <CAKXHy=d-C4+iiupK9bDdDj0_jP7LBWkep2GebjKZk-wQC0h_dA@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Peter Eckersley <pde@eff.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eric Mill <eric@konklone.com>
On Tue, Mar 17, 2015 at 5:42 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
wrote:

> On Mon 2015-03-16 05:26:39 -0400, Mike West wrote:
> > Optionally-blockable mixed content is certainly also an important issue,
> > though, as it creates UI degradation, which developers very much wish to
> > avoid (as noted in #2 in the email you're responding to).
>
> If Chrome provides degraded UI for plain http:// sites (i think this has
> been discussed recently, but don't have a link handy), then the site
> operators will have only one way to fix this, which is a move to full
> HTTPS with mixed content at all, right?
>

Indeed.
http://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
is certainly a potential end game for plaintext, but I don't think we can
assume that it's going to happen quickly enough to make developers happy
with a proposal that doesn't deal with the status quo.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 17 March 2015 17:00:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC