Re: Mixed Content Level 2 from Tanvi Vyas on 2018-02-08 (public-webappsec@w3.org from February 2018)

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Thu, 8 Feb 2018 11:49:35 -0800
To: John Wilander <wilander@apple.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CALC7Gs5KAA6wZHgqK=0fd-OgBALu=hidHixas7S-KV0H5Zvb_g@mail.gmail.com>

Hey John,

A few of us are actually getting together to discuss this the day before
our next webappsec call.  I will invite you as well.  We at Mozilla have a
few other proposals, including the one where we strip cookies from passive
content.  We can get together and discuss all our different ideas and take
it from there.

~Tanvi

On Thu, Feb 8, 2018 at 11:33 AM, John Wilander <wilander@apple.com> wrote:

> Hi WebAppSec!
>
> Emily brought up the idea of upgrading rather than blocking mixed content
> requests during TPAC:
> https://www.w3.org/2017/11/07-webappsec-minutes.html#item02
>
> We are positive trying to do this and it seems Mozilla is too. Microsoft
> is tentatively negative because of breakage and perf. (Please correct me if
> my interpretation is wrong.)
>
> The issue the WG kind of left open was HTTP image requests with some
> specific references to image search in Google and Bing. Tanvi mentioned
> stripping cookies as a middle way if we have to still support mixed images.
>
> Is Mixed Content Level 2 a thing? Are any of the browsers doing something
> in this space, especially auto-upgrade?
>
>    Regards, John
>

Received on Thursday, 8 February 2018 19:49:59 UTC