Closed claustromaniac closed 5 years ago
Just FYI, 1442990 was set to RESOLVED WONTFIX, because upgrading mixed passive content is going to be the default behavior as per the Mixed Content Level 2 spec.
Well, that's better than nothing, but by the time it gets implemented (I'm just guessing here), HTTP will probably be deprecated (or near enough with scary NOT SECURE warnings in the urlbar if any content is insecure: i.e most of the top sites will have changed)
Personally, I've never seen the relevance of the "top sites". Most of those already support HTTPS by default, and that won't change.
The Internet is so big that I don't need to use any of those sites, and I'm sure I'm not alone on that (thank gods!)
True ... and that's only the surface web. But for most people I doubt they stray outside the top 1M or whatever except for their local news or shops maybe.
Meanwhile ... I found an excellent image for POOP .. https://thechive.files.wordpress.com/2019/10/0e429b7be7ed04ef0d4706a8e5137ec0.jpg 🤣
But for most people...
Right, that change won't be very meaningful for them, which seems to imply that the W3C is trying to improve the Internet for people like me too! (thanks W3C!)
I found an excellent image for POOP
Cool. Does it have a license? Can I borrow it for my page? (assuming I ever manage to get back to working on that thing!).
TL;DR: I'm proposing to add the pref in the title, in addition to the 3 prefs that we have for controlling mixed content:
For these STR, I will refer to
1240
asblockActive
,1241
asblockDisplay
,1243
asblockPlugin
, andsecurity.mixed_content.upgrade_display_content
asupgradeDisplay
.Go to about:config
Set
blockActive
,blockDisplay
, andblockPlugin
tofalse
In a new tab, go to https://www.bennish.net/mixed-content.html (which would be a nice addition to the wiki BTW)
Without leaving that tab, go to devtools, network tab (Ctrl+Shift+E) and reload the page. You should see insecure requests being made (hover over the padlocks in the list of requests for more info)
Open the scratchpad, paste the following code and run it:
The code simply injects an
<img>
HTML element that triggers a request togithub.githubassets.com
over HTTP. The octocat gif should appear at the very bottom of the page.check the devtools to confirm the octocat image was loaded over http
set
upgradeDisplay
totrue
, reload the page and re-run the scratchpad scriptcheck the devtools, notice the green padlock for that request. You can also click the request in the list to confirm (on the right-hand panel) the target url is https://github.githubassets... Also, notice how
upgradeDisplay
prevented the other images in that site from loading, because they can't be upgraded to HTTPS. (conclusion 1: when the content can't be loaded over HTTPS,upgradeDisplay
does not load it over HTTP)set
blockDisplay
totrue
and reload, re-run scriptsame result as in step 8 (conclusion 2:
upgradeDisplay
has higher priority thanblockDisplay
, because the octocat gif was loaded without a hitch over HTTPS)test the remaining different combinations of prefs (with
blockActive
andblockPlugin
) to confirm they don't conflict with each other (conclusion 3: there don't seem to be any issues with the other prefs)give me some catnip
Correct me if I'm wrong, but it seems the rationale for not adding this pref after the discussion in #367 was that:
My counter-arguments:
blockDisplay
isfalse
by default. There might be other reasons, but that sounds like the most likely explanation to me.I think this at least deserves some more consideration, and maybe investigating some more. I didn't start digging the source code yet (time constraints as always), but I think we can at the very least add this inactive as a FYI.
Anyway, I know :jeans: wants as few issues open as possible, so feel free to close this whenever you want.