search

w3c / webappsec-mixed-content

WebAppSec Mixed Content
https://w3c.github.io/webappsec-mixed-content/
Other
12 stars 22 forks source link

Should reference definitions in "Secure Contexts" spec #1

Closed dveditz closed 8 years ago

dveditz commented 8 years ago

The Mixed Content spec defines it's own concept of "potentially secure origin":
http://www.w3.org/TR/mixed-content/#potentially-secure-origin

Instead it should reference the equivalent (though not identical) definition in the Secure Contexts spec:
https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

Isn't the purpose of the Secure Contexts spec to be a reference point so we have consistency in the definition of secure/insecure?

mikewest commented 8 years ago

There are two definitions because there are two concepts. "Trustworthy" origins include http://127.0.01/, localhost, and any other origin that a user agent considers trustworthy (chrome-extension://, etc).

It's not clear to me that the concepts are "equivalent". They seem distinct. Consider a top-level document containing http://127.0.0.1/. Do we want that context to block mixed content? That would be a significant change from status quo.

mikewest commented 8 years ago

AI: @dveditz to skim the patches and follow up with the Mozilla folks who raised the issue.