Re: block-all-mixed-content directive on an HTTP page

On Tue, Mar 22, 2016 at 1:45 AM, Nottingham, Mark <>

> The strict checking section ([2] below) says it has effects on both 5.3
> and 5.4; looking at them, they both perform a "Does settings prohibit mixed
> security contexts?" check first <
> and AIUI that has the effect of ignoring the flag for HTTP contexts
> (because it will fall through to "Does Not Restrict Mixed Security
> Contexts").
> I think that's the right thing to do, FWIW.

I agree. That is, the directive intends to block "mixed content".
Non-secure content loaded into a non-secure page is not "mixed", so we
don't block it. I believe this matches Chrome's behavior.


Received on Tuesday, 22 March 2016 14:01:11 UTC