W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2011

[whatwg] Encrypted HTTP and related security concerns - make mixed content warnings accessible from JS?

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 3 Feb 2011 18:38:30 +0000 (UTC)
Message-ID: <Pine.LNX.4.64.1102031837190.26730@ps20323.dreamhostps.com>
On Thu, 11 Nov 2010, Ingo Chao wrote:
> For automated error reporting, say for a HTTPS mashup page with 3rd 
> party advertisement content, I would like to have a security warning 
> thrown for the mixed content situation (HTTPS mixed with HTTP content), 
> accessible from JavaScript.

On Sat, 13 Nov 2010, Ingo Chao wrote:
> The mashup combines components, some of them are not under my control. 
> The advertisement service provides 3rd party ads, they will change 
> often. Including the ad service means that I never know if and when 
> someone throws in http content into the mix.
> The error console would show the issue to me, but does not report 
> automatically. I don't want to be dependent on user's bug reports 
> regarding the warning they see occasionally. Users get upset, or think 
> that they'd better leave is insecure place, but usually they won't file 
> a but report. I need to get this info as soon as the event fires.
> I've seen this scenario on some https mashups, like web mail services 
> that inluce ad services into their mashup.

On Sat, 13 Nov 2010, Gregory Maxwell wrote:
> This sounds to me like the kind of reasoning which resulted in the CSP 
> policy set stuff:
> https://developer.mozilla.org/en/Security/CSP
> (and, in particular, the violation reports)

I haven't added anything to the spec at this time, on the assumption that 
this is indeed the kind of thing which CSP might fix in the medium-term 
future. If it turns out that CSP, or whatever CSP gets replaced by, 
doesn't solve this use case, then we should revisit it.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 3 February 2011 10:38:30 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:30 UTC