Closed RReverser closed 4 years ago
Oh, I just assumed @mikewest was right and was asking to get a bug on file. Sorry for the confusion.
The main problem with track
is that it's a CORS fetch and therefore the embedder gets access to its data. That's more severe than displaying rogue pixels as it can compromise the behavior of the embedder.
The fair solution would be to also block audio
and video
mixed content, but I'm not sure how feasible that is. I don't think it's ever acceptable to open up track
.
@annevk That sounds somewhat similar to image- or video-to-canvas situation, couldn't the track content be inaccessible only when used programmatically but not when displayed? Or would it put unnecessary burden on implementors given that the plan is to block all the new-ish media elements in future?
As for video/audio - it would indeed be interesting to see stats for it. Given that they are mostly used on a relatively recent websites (last few years), perhaps it could work out with a smooth upgrade path (e.g. allow user to unblock such insecure content with a warning in the meanwhile).
I think that would add quite a bit of complexity to the API at least, which doesn't seem worthwhile just for mixed content which should go away anyway, but I haven't investigated in detail.
I agree with @annevk that we should not open up fetches that allow bits to flow freely from a non-secure origin to a secure origin. I think the answer here is going to be to more tightly restrict <audio>
and <video>
rather than loosening restrictions on <track>
.
I plan to have a proposal in that regard ready for TPAC in ~2 weeks. I'll leave this open for some discussion at that meeting.
Several years ago (!!!) we decided to close this at TPAC. The approach we're taking in MIX2 is to autoupgrade-or-block all mixed content to resolve the incoherence between these request types. See https://w3c.github.io/webappsec-mixed-content/level2.html.
On Twitter, I mentioned that there is some disagreement between Firefox and Chrome on which
<link />
items are supposed to be blocked, in particular<link rel=preload as=track />
as an example where Firefox issues a warning as for any other passive content, but Chrome strictly blocks it.Both @wanderview and @mikewest said that this is a bug in Firefox as per current spec (tracks should be blocked), but I expressed a concern that blocking
track
whereas any other media content (audio
,video
, ...) is allowed with a warning seems to disproportionally harm people with hearing disabilities.@mikewest suggested raising an issue to discuss this, as it makes sense to group all the media content together and either block it all or not block any of it.