[MIX] Carveout for ``?

Currently, mixed content checks block `` from loading in a
page delivered over TLS. I'm (belatedly) coming around to the idea that
that restriction does more harm than good. In particular, I'll note that
folks are installing new trusted roots and self-signing certs for that IP
address, exposing themselves to additional risk for minimal benefit.
Helpful locally installed software is doing the same, with even more
associated risk.

I'd like to change MIX to use the Secure Contexts spec's notion of
"potentially trustworthy" origins as opposed to toggling strictly based on
the URL's protocol. This would be a normative change that would force us
back to CR again. *shrug* Seems like it might be worth doing anyway.

I've filed https://github.com/w3c/webappsec-mixed-content/issues/4 to cover
this, and have a PR up at
https://github.com/w3c/webappsec-mixed-content/pull/5 for discussion.



Received on Friday, 29 April 2016 07:44:39 UTC