- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 3 Feb 2011 18:38:30 +0000 (UTC)
On Thu, 11 Nov 2010, Ingo Chao wrote: > > For automated error reporting, say for a HTTPS mashup page with 3rd > party advertisement content, I would like to have a security warning > thrown for the mixed content situation (HTTPS mixed with HTTP content), > accessible from JavaScript. On Sat, 13 Nov 2010, Ingo Chao wrote: > > The mashup combines components, some of them are not under my control. > The advertisement service provides 3rd party ads, they will change > often. Including the ad service means that I never know if and when > someone throws in http content into the mix. > > The error console would show the issue to me, but does not report > automatically. I don't want to be dependent on user's bug reports > regarding the warning they see occasionally. Users get upset, or think > that they'd better leave is insecure place, but usually they won't file > a but report. I need to get this info as soon as the event fires. > > I've seen this scenario on some https mashups, like web mail services > that inluce ad services into their mashup. On Sat, 13 Nov 2010, Gregory Maxwell wrote: > > This sounds to me like the kind of reasoning which resulted in the CSP > policy set stuff: > > https://developer.mozilla.org/en/Security/CSP > > (and, in particular, the violation reports) I haven't added anything to the spec at this time, on the assumption that this is indeed the kind of thing which CSP might fix in the medium-term future. If it turns out that CSP, or whatever CSP gets replaced by, doesn't solve this use case, then we should revisit it. Cheers, -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 3 February 2011 10:38:30 UTC