[webkit-dev] Mixed content checking
Michael Catanzaro
mcatanzaro at igalia.com
Tue Aug 5 09:03:06 PDT 2014
On Tue, 2014-08-05 at 11:03 +0200, Mike West wrote:
> Apologies for digging up an old thread; I didn't see it until now.
>
> On Thu, Jul 24, 2014 at 7:59 AM, Alexey Proskuryakov <ap at webkit.org>
> wrote:
> > In other words, how is "active content" defined here?
>
> Note that the WebAppSec WG is working on a mixed content spec that
> drops the "active"/"passive" distinction in favor of "stuff we can
> block without breaking the web"/"images":
> http://w3c.github.io/webappsec/specs/mixedcontent/#categories Feedback
> on that document would be welcome.
>
> As Michael notes in his response, Chrome is busy tightening its
> implementation to match that spec. Some details on that in
> https://groups.google.com/a/chromium.org/d/msg/security-dev/Uxzvrqb6IeU/wb51F3nV7csJ
>
> -mike
Thanks Mike, I will definitely read that spec and keep it in mind as an
end goal. Our mixed content blocking will probably not be so
comprehensive at first, but it's good to have a formal goal and also
indicates that I might have been mistaken to expose "block active mixed
content" and "block passive mixed content" as separate settings --
probably "block all mixed content" and "block selected mixed content"
would be more sensible levers for browsers to have.
Michael
More information about the webkit-dev
mailing list