[whatwg] Encrypted HTTP and related security concerns - make mixed content warnings accessible from JS?
Ian Hickson
ian at hixie.ch
Thu Feb 3 10:38:30 PST 2011
On Thu, 11 Nov 2010, Ingo Chao wrote:
>
> For automated error reporting, say for a HTTPS mashup page with 3rd
> party advertisement content, I would like to have a security warning
> thrown for the mixed content situation (HTTPS mixed with HTTP content),
> accessible from JavaScript.
On Sat, 13 Nov 2010, Ingo Chao wrote:
>
> The mashup combines components, some of them are not under my control.
> The advertisement service provides 3rd party ads, they will change
> often. Including the ad service means that I never know if and when
> someone throws in http content into the mix.
>
> The error console would show the issue to me, but does not report
> automatically. I don't want to be dependent on user's bug reports
> regarding the warning they see occasionally. Users get upset, or think
> that they'd better leave is insecure place, but usually they won't file
> a but report. I need to get this info as soon as the event fires.
>
> I've seen this scenario on some https mashups, like web mail services
> that inluce ad services into their mashup.
On Sat, 13 Nov 2010, Gregory Maxwell wrote:
>
> This sounds to me like the kind of reasoning which resulted in the CSP
> policy set stuff:
>
> https://developer.mozilla.org/en/Security/CSP
>
> (and, in particular, the violation reports)
I haven't added anything to the spec at this time, on the assumption that
this is indeed the kind of thing which CSP might fix in the medium-term
future. If it turns out that CSP, or whatever CSP gets replaced by,
doesn't solve this use case, then we should revisit it.
Cheers,
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list