[webkit-dev] Mixed content checking
ap at webkit.org
Wed Jul 23 22:59:42 PDT 2014
23 июля 2014 г., в 17:08, Michael Catanzaro <mcatanzaro at igalia.com> написал(а):
> One problem with these settings is that frames are treated as mixed
> passive content rather than mixed active content. For the WebKitGTK+ API
> I want frames to be treated as active content, which is what most major
> browsers currently do.
Thank you for the heads up!
Can you elaborate on why this is desirable? A non-https frame always has a different origin, so it can't script the main frame.
In other words, how is "active content" defined here?
> I'm also planning to block mixed XMLHttpRequest and WebSocket
> connections when allow-running-of-insecure-content is false.
Same question, why? Cross origin XMLHttpRequest is different from cross origin scripts in that it takes quite a bit of effort to make it work, so it's not the same case of accidentally loading a subresource using http instead of https.
More information about the webkit-dev