W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: block-all-mixed-content directive on an HTTP page

From: Nottingham, Mark <mnotting@akamai.com>
Date: Tue, 22 Mar 2016 00:45:55 +0000
To: Tanvi Vyas <tanvi@mozilla.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, "Christoph Kerschbaumer" <ckerschbaumer@mozilla.com>
Message-ID: <33C5CD10-1E50-4B64-96B0-2A6314604A36@akamai.com>
The strict checking section ([2] below) says it has effects on both 5.3 and 5.4; looking at them, they both perform a "Does settings prohibit mixed security contexts?" check first <https://w3c.github.io/webappsec-mixed-content/#categorize-settings-object>, and AIUI that has the effect of ignoring the flag for HTTP contexts (because it will fall through to "Does Not Restrict Mixed Security Contexts").

I think that's the right thing to do, FWIW.


> On 22 Mar 2016, at 10:35 AM, Tanvi Vyas <tanvi@mozilla.com> wrote:
> Hi,
> Christoph just implemented support in Firefox for the CSP directive block-all-mixed-content[1], which should be released with Firefox 48.  When looking back at the implementation, I wonder what is the right behavior if the directive is set on an HTTP page.  I don't see this case mentioned explicitly in the spec.  Is this a use case we should support?  Perhaps it would be useful for an HTTP page is planning to move to HTTPS; the developer may set the directive to avoid mixed content issues once they migrate?  Thoughts?
> ~Tanvi
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1122236
> [2] https://w3c.github.io/webappsec-mixed-content/#strict-checking

Mark Nottingham    mnot@akamai.com    https://www.mnot.net/
Received on Tuesday, 22 March 2016 00:46:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:55 UTC