Re: block-all-mixed-content directive on an HTTP page from Mike West on 2016-03-22 (public-webappsec@w3.org from March 2016)

From: Mike West <mkwst@google.com>
Date: Tue, 22 Mar 2016 15:00:21 +0100
To: "Nottingham, Mark" <mnotting@akamai.com>
Cc: Tanvi Vyas <tanvi@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>
Message-ID: <CAKXHy=dG+Tw4hG3o74=M3-OO0HV6v+onp3hLkTxntQwpHFpfAg@mail.gmail.com>

On Tue, Mar 22, 2016 at 1:45 AM, Nottingham, Mark <mnotting@akamai.com>
wrote:

> The strict checking section ([2] below) says it has effects on both 5.3
> and 5.4; looking at them, they both perform a "Does settings prohibit mixed
> security contexts?" check first <
> https://w3c.github.io/webappsec-mixed-content/#categorize-settings-object>,
> and AIUI that has the effect of ignoring the flag for HTTP contexts
> (because it will fall through to "Does Not Restrict Mixed Security
> Contexts").
>
> I think that's the right thing to do, FWIW.
>

I agree. That is, the directive intends to block "mixed content".
Non-secure content loaded into a non-secure page is not "mixed", so we
don't block it. I believe this matches Chrome's behavior.

-mike

Received on Tuesday, 22 March 2016 14:01:11 UTC