W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2015

Proposal: Showing the padlock icon on all secure origins

From: Simon Brown <mail@simonandrewbrown.co.uk>
Date: Sat, 21 Nov 2015 14:31:09 +0000
Message-Id: <AF69548E-1580-4202-89B9-C0A0754BB3D0@simonandrewbrown.co.uk>
To: public-webappsec@w3.org
Currently most browsers only show the padlock icon on HTTPS sites, even though there are other secure origins, such as localhost. I propose that browsers start showing the padlock icon for other secure origins, providing there isn’t a security problem, such as an invalid certificate on a HTTP site or content from an insecure origin. This would:

1. Make it easier for users to ascertain whether an origin is secure. Currently secure localhost and insecure HTTP have the same indicators.
2. Increase the perceived normality of the padlock signal, making insecure origins stand out more.
3. Make it more obvious to developers when they are able to use features that are restricted to secure origins. https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features <https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features>
4. Make the transition to marking insecure origins as non-secure more straightforward. https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure <https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure>
Received on Sunday, 22 November 2015 20:20:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC