W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2016

Re: [MIX] Carveout for ``?

From: Mike West <mkwst@google.com>
Date: Fri, 29 Apr 2016 10:42:19 +0200
Message-ID: <CAKXHy=egyBrga_LJR_yXVbJtU+rHxbPMkdOayRzYp=3mH23OQg@mail.gmail.com>
To: "Eduardo' Vela <Nava>" <evn@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Apr 29, 2016 at 10:27 AM, Eduardo' Vela" <Nava> <evn@google.com>

> Yes please!
I'm not sure if you're supportive because it's a good idea, or because it
will let you break more things. :)

> On Fri, Apr 29, 2016, 09:46 Mike West <mkwst@google.com> wrote:
>> Currently, mixed content checks block `` from loading in
>> a page delivered over TLS. I'm (belatedly) coming around to the idea that
>> that restriction does more harm than good. In particular, I'll note that
>> folks are installing new trusted roots and self-signing certs for that IP
>> address, exposing themselves to additional risk for minimal benefit.
>> Helpful locally installed software is doing the same, with even more
>> associated risk.
>> I'd like to change MIX to use the Secure Contexts spec's notion of
>> "potentially trustworthy" origins as opposed to toggling strictly based on
>> the URL's protocol. This would be a normative change that would force us
>> back to CR again. *shrug* Seems like it might be worth doing anyway.
>> I've filed https://github.com/w3c/webappsec-mixed-content/issues/4 to
>> cover this, and have a PR up at
>> https://github.com/w3c/webappsec-mixed-content/pull/5 for discussion.
>> WDYT?
Note also that I'm thinking about this in the context of
https://mikewest.github.io/cors-rfc1918/, which aims to create more
restrictions on Internet -> Intranet -> Local traffic that are probably
more reasonable. That's going to be tough to ship, but I'm aiming to have a
prototype for discussion at our May F2F.

Received on Friday, 29 April 2016 08:43:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:55 UTC