- From: Eduardo' Vela\ <evn@google.com>
- Date: Fri, 29 Apr 2016 08:46:27 +0000
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAFswPa9sjWW9L3wW44TWA4CkNJfJguBWyYqZ1pF7HRFaC7uwxA@mail.gmail.com>
Porque no los dos? It broke an extension of my own, and I had to make even more hacks to fix it. https://chrome.google.com/webstore/detail/tamper-chrome-extension/hifhgpdkfodlpnlmlnmhchnkepplebkb/reviews?hl=en On Fri, Apr 29, 2016, 10:42 Mike West <mkwst@google.com> wrote: > On Fri, Apr 29, 2016 at 10:27 AM, Eduardo' Vela" <Nava> <evn@google.com> > wrote: > >> Yes please! >> > I'm not sure if you're supportive because it's a good idea, or because it > will let you break more things. :) > > >> On Fri, Apr 29, 2016, 09:46 Mike West <mkwst@google.com> wrote: >> >>> Currently, mixed content checks block `http://127.0.0.1` from loading >>> in a page delivered over TLS. I'm (belatedly) coming around to the idea >>> that that restriction does more harm than good. In particular, I'll note >>> that folks are installing new trusted roots and self-signing certs for that >>> IP address, exposing themselves to additional risk for minimal benefit. >>> Helpful locally installed software is doing the same, with even more >>> associated risk. >>> >>> I'd like to change MIX to use the Secure Contexts spec's notion of >>> "potentially trustworthy" origins as opposed to toggling strictly based on >>> the URL's protocol. This would be a normative change that would force us >>> back to CR again. *shrug* Seems like it might be worth doing anyway. >>> >>> I've filed https://github.com/w3c/webappsec-mixed-content/issues/4 to >>> cover this, and have a PR up at >>> https://github.com/w3c/webappsec-mixed-content/pull/5 for discussion. >>> >>> WDYT? >>> >> > Note also that I'm thinking about this in the context of > https://mikewest.github.io/cors-rfc1918/, which aims to create more > restrictions on Internet -> Intranet -> Local traffic that are probably > more reasonable. That's going to be tough to ship, but I'm aiming to have a > prototype for discussion at our May F2F. > > -mike >
Attachments
- image/png attachment: Screenshot_20160429-104417.png
Received on Friday, 29 April 2016 08:47:05 UTC