Closed dveditz closed 8 years ago
There are two definitions because there are two concepts. "Trustworthy" origins include http://127.0.01/
, localhost
, and any other origin that a user agent considers trustworthy (chrome-extension://
, etc).
It's not clear to me that the concepts are "equivalent". They seem distinct. Consider a top-level document containing http://127.0.0.1/
. Do we want that context to block mixed content? That would be a significant change from status quo.
AI: @dveditz to skim the patches and follow up with the Mozilla folks who raised the issue.
The Mixed Content spec defines it's own concept of "potentially secure origin":
http://www.w3.org/TR/mixed-content/#potentially-secure-origin
Instead it should reference the equivalent (though not identical) definition in the Secure Contexts spec:
https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
Isn't the purpose of the Secure Contexts spec to be a reference point so we have consistency in the definition of secure/insecure?