Mixed Content Level 2

Hi WebAppSec!

Emily brought up the idea of upgrading rather than blocking mixed content requests during TPAC:
https://www.w3.org/2017/11/07-webappsec-minutes.html#item02 <https://www.w3.org/2017/11/07-webappsec-minutes.html#item02>

We are positive trying to do this and it seems Mozilla is too. Microsoft is tentatively negative because of breakage and perf. (Please correct me if my interpretation is wrong.)

The issue the WG kind of left open was HTTP image requests with some specific references to image search in Google and Bing. Tanvi mentioned stripping cookies as a middle way if we have to still support mixed images.

Is Mixed Content Level 2 a thing? Are any of the browsers doing something in this space, especially auto-upgrade?

   Regards, John

Received on Thursday, 8 February 2018 19:34:42 UTC