On Tue, Mar 22, 2016 at 1:45 AM, Nottingham, Mark <mnotting@akamai.com>
wrote:
> The strict checking section ([2] below) says it has effects on both 5.3
> and 5.4; looking at them, they both perform a "Does settings prohibit mixed
> security contexts?" check first <
> https://w3c.github.io/webappsec-mixed-content/#categorize-settings-object>,
> and AIUI that has the effect of ignoring the flag for HTTP contexts
> (because it will fall through to "Does Not Restrict Mixed Security
> Contexts").
>
> I think that's the right thing to do, FWIW.
>
I agree. That is, the directive intends to block "mixed content".
Non-secure content loaded into a non-secure page is not "mixed", so we
don't block it. I believe this matches Chrome's behavior.
-mike