search

w3c / webappsec-mixed-content

WebAppSec Mixed Content
https://w3c.github.io/webappsec-mixed-content/
Other
12 stars 22 forks source link

Mixed content terms - confusing English #70

Open hamishwillee opened 3 months ago

hamishwillee commented 3 months ago

See https://www.w3.org/TR/mixed-content/#terms

The bit in bold makes no sense.

A response is mixed content if it is an unauthenticated response, and the context responsible for loading it requires prohibits mixed security contexts.

I think you mean:

A response is mixed content if it is an unauthenticated response, and the context responsible for loading it prohibits mixed security contexts.

My understanding of " the context responsible for loading it prohibits mixed security contexts." means "secure context". In other words, if a browser requests a file in a secure context, the response has to be sent to an authenticated origin.

When would a response to a request from a browser in a secure context NOT be sent to an authenticated origin? I suspect I don't know about TLS, but I thought both ends had to be authenticated.

hamishwillee commented 3 months ago

FWIW as an ignorant observer this section is quite confusing...

EDITED: Removed. It's confusing, but that's sometimes the nature of spec language.