Can CSP play a role here? What if my site is on https://foo.com and I set connect-src to http://foo.com ? Would that override the mixed content blocking? If not, is that something we should implement?
Sent from my iPad On 2013-07-29, at 12:21, Gervase Markham <[email protected]> wrote: > On 25/07/13 13:18, Nicholas Wilson wrote: >> On 24 July 2013 17:22, Gervase Markham <[email protected]> wrote: >>> Have you considered giving the managed servers certs minted from a local >>> company CA, and trusting that root cert in the copies of Firefox? Or >>> does that not work either? >> >> Gervase, >> >> Thanks for that idea. We did try thinking through all the >> possibilities here, but none of them is especially attractive. > > Thanks for the rundown. > > I hope I haven't derailed your thread, in that I'm not the guy who can > approve your patch - I was just trying to help with your problem. But I > agree that either: > > a) a patch to allow the user to approve mixed content WebSockets in the > same way as XHR; or > > b) a patch to allow the JS to pass a "cert to trust" when it makes an > HTTPS WebSocket connection > > would be an OK thing. > > Gerv > > _______________________________________________ > dev-security mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
