On Wed, May 18, 2011 at 1:00 PM, Christopher Blizzard <[email protected]> wrote: > On 5/18/2011 12:27 PM, Adam Barth wrote: >> Indeed, which is why we experimented with a hard block. Our plan is >> to move in smaller steps, hopefully in coordination with other browser >> vendors. > > Pick a date/release. We haven't talked about it, but we might game for that > kind of action. (It's hard to break things on your own. :P)
To update this thread, here's a blog post describing what we're planning on doing: http://googleonlinesecurity.blogspot.com/2011/06/trying-to-end-mixed-scripting.html We backed away from a hard block because too many sites broke. The current plan is block + infobar + evangelism for active content (script, plug-ins, CSS). If the evangelism goes well, we hope to move to harder blocks in the future. If Firefox does something similar, we'll probably have a greater chance of moving to a more secure default in the future. Thanks, Adam _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
