W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2018

Re: Mixed Content Level 2

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Thu, 8 Feb 2018 11:49:35 -0800
Message-ID: <CALC7Gs5KAA6wZHgqK=0fd-OgBALu=hidHixas7S-KV0H5Zvb_g@mail.gmail.com>
To: John Wilander <wilander@apple.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hey John,

A few of us are actually getting together to discuss this the day before
our next webappsec call.  I will invite you as well.  We at Mozilla have a
few other proposals, including the one where we strip cookies from passive
content.  We can get together and discuss all our different ideas and take
it from there.

~Tanvi

On Thu, Feb 8, 2018 at 11:33 AM, John Wilander <wilander@apple.com> wrote:

> Hi WebAppSec!
>
> Emily brought up the idea of upgrading rather than blocking mixed content
> requests during TPAC:
> https://www.w3.org/2017/11/07-webappsec-minutes.html#item02
>
> We are positive trying to do this and it seems Mozilla is too. Microsoft
> is tentatively negative because of breakage and perf. (Please correct me if
> my interpretation is wrong.)
>
> The issue the WG kind of left open was HTTP image requests with some
> specific references to image search in Google and Bing. Tanvi mentioned
> stripping cookies as a middle way if we have to still support mixed images.
>
> Is Mixed Content Level 2 a thing? Are any of the browsers doing something
> in this space, especially auto-upgrade?
>
>    Regards, John
>
Received on Thursday, 8 February 2018 19:49:59 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 8 February 2018 19:49:59 UTC