block-all-mixed-content directive on an HTTP page from Tanvi Vyas on 2016-03-21 (public-webappsec@w3.org from March 2016)

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Mon, 21 Mar 2016 16:35:22 -0700
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Christoph Kerschbaumer <ckerschbaumer@mozilla.com>
Message-ID: <56F0853A.2030504@mozilla.com>

Hi,

Christoph just implemented support in Firefox for the CSP directive 
block-all-mixed-content[1], which should be released with Firefox 48.  
When looking back at the implementation, I wonder what is the right 
behavior if the directive is set on an HTTP page.  I don't see this case 
mentioned explicitly in the spec.  Is this a use case we should 
support?  Perhaps it would be useful for an HTTP page is planning to 
move to HTTPS; the developer may set the directive to avoid mixed 
content issues once they migrate?  Thoughts?

~Tanvi

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1122236
[2] https://w3c.github.io/webappsec-mixed-content/#strict-checking

Received on Monday, 21 March 2016 23:35:52 UTC