W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2017

Re: Proposal for a MIX Level 2 roadmap.

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Fri, 27 Oct 2017 16:20:22 -0700
Message-ID: <CALC7Gs4Wv-7Cokaa5cJmUZo0kdyiWnv7KC76gTSXbP_BkLtvBg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Emily Stark <estark@google.com>, Peter Eckersley <pde@eff.org>, Brad Hill <hillbrad@gmail.com>
Hi Mike,

Thanks for coming up with a proposal to help get us closer to eliminating
mixed content!  A few comments inline.

> 1.  Upgrade blockable mixed content to HTTPS by default rather than
> blocking it.
Desktop Firefox's UI to unblock mixed content is pretty hidden.  There is
no visual indicator in the url bar to show mixed content is blocked. To
unblock it, you have to click the i icon, then an arrow, then a button.
The number of disables we see is nominal, to the point that I almost want
to remove the feature (https://mzl.la/2yaJrv6).  One of the reasons we
haven't done that is because we might want to reuse the same UI for
optionally-blockable content that we start blocking.  Removing the UI and
then adding it back later could cause confusion.

Anyway, the point is, since the web and users seem to have adapted to
tolerate a web where blockable mixed content doesn't load, should we bother
trying to upgrade it (and potentially dealing with script timeout issues
that Kate mentioned that could prevent the rest of the page from loading)?

One question, what made you change your mind about auto-upgrading?  You
mention some research on comparing http and https content in the proposal.
Is that the motivation, or are there other factors involved?

> 2.  Treat optionally-blockable mixed content as blockable by default, with
> an opt-in to status quo behavior.
> This sounds like a good idea, if we have some confidence that the websites
that have optionally-blockable mixed content are aware of their problem.
We could also consider making everything but image optionally-blockable.
(In that case though, we may need to revisit some of my points under 1, as
they may no longer be valid when we start inserting more content types into
the blockable mixed content category.)

Would trying to upgrade optionally-blockable mixed content have the same
type of problems with timeouts?  Perhaps an https script could be waiting
for an http image to load before loading the rest of the page, but that
sounds a lot more uncommon than pausing page load because of a script.

> 3.  Deprecate and remove `Upgrade-Insecure-Requests` in favor of the above.
> 4.  Remove their user-facing blockable mixed content overrides.
This largely depends on what we decide above.  Also note that on Firefox
for Android, an unblock option doesn't exist.

Hope to discuss more at TPAC.


Received on Friday, 27 October 2017 23:20:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:02 UTC