The strict checking section ([2] below) says it has effects on both 5.3 and 5.4; looking at them, they both perform a "Does settings prohibit mixed security contexts?" check first <https://w3c.github.io/webappsec-mixed-content/#categorize-settings-object>, and AIUI that has the effect of ignoring the flag for HTTP contexts (because it will fall through to "Does Not Restrict Mixed Security Contexts"). I think that's the right thing to do, FWIW. Cheers, > On 22 Mar 2016, at 10:35 AM, Tanvi Vyas <tanvi@mozilla.com> wrote: > > Hi, > > Christoph just implemented support in Firefox for the CSP directive block-all-mixed-content[1], which should be released with Firefox 48. When looking back at the implementation, I wonder what is the right behavior if the directive is set on an HTTP page. I don't see this case mentioned explicitly in the spec. Is this a use case we should support? Perhaps it would be useful for an HTTP page is planning to move to HTTPS; the developer may set the directive to avoid mixed content issues once they migrate? Thoughts? > > ~Tanvi > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1122236 > [2] https://w3c.github.io/webappsec-mixed-content/#strict-checking -- Mark Nottingham mnot@akamai.com https://www.mnot.net/Received on Tuesday, 22 March 2016 00:46:27 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC