Re: block-all-mixed-content directive on an HTTP page

The strict checking section ([2] below) says it has effects on both 5.3 and 5.4; looking at them, they both perform a "Does settings prohibit mixed security contexts?" check first <https://w3c.github.io/webappsec-mixed-content/#categorize-settings-object>, and AIUI that has the effect of ignoring the flag for HTTP contexts (because it will fall through to "Does Not Restrict Mixed Security Contexts").

I think that's the right thing to do, FWIW.

Cheers,


> On 22 Mar 2016, at 10:35 AM, Tanvi Vyas <tanvi@mozilla.com> wrote:
> 
> Hi,
> 
> Christoph just implemented support in Firefox for the CSP directive block-all-mixed-content[1], which should be released with Firefox 48.  When looking back at the implementation, I wonder what is the right behavior if the directive is set on an HTTP page.  I don't see this case mentioned explicitly in the spec.  Is this a use case we should support?  Perhaps it would be useful for an HTTP page is planning to move to HTTPS; the developer may set the directive to avoid mixed content issues once they migrate?  Thoughts?
> 
> ~Tanvi
> 
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1122236
> [2] https://w3c.github.io/webappsec-mixed-content/#strict-checking

--
Mark Nottingham    mnot@akamai.com    https://www.mnot.net/

Received on Tuesday, 22 March 2016 00:46:27 UTC