block-all-mixed-content directive on an HTTP page


Christoph just implemented support in Firefox for the CSP directive 
block-all-mixed-content[1], which should be released with Firefox 48.  
When looking back at the implementation, I wonder what is the right 
behavior if the directive is set on an HTTP page.  I don't see this case 
mentioned explicitly in the spec.  Is this a use case we should 
support?  Perhaps it would be useful for an HTTP page is planning to 
move to HTTPS; the developer may set the directive to avoid mixed 
content issues once they migrate?  Thoughts?



Received on Monday, 21 March 2016 23:35:52 UTC