W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

block-all-mixed-content directive on an HTTP page

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Mon, 21 Mar 2016 16:35:22 -0700
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Christoph Kerschbaumer <ckerschbaumer@mozilla.com>
Message-ID: <56F0853A.2030504@mozilla.com>
Hi,

Christoph just implemented support in Firefox for the CSP directive 
block-all-mixed-content[1], which should be released with Firefox 48.  
When looking back at the implementation, I wonder what is the right 
behavior if the directive is set on an HTTP page.  I don't see this case 
mentioned explicitly in the spec.  Is this a use case we should 
support?  Perhaps it would be useful for an HTTP page is planning to 
move to HTTPS; the developer may set the directive to avoid mixed 
content issues once they migrate?  Thoughts?

~Tanvi

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1122236
[2] https://w3c.github.io/webappsec-mixed-content/#strict-checking
Received on Monday, 21 March 2016 23:35:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC