Re: Mixed HTTPS/non-HTTPS content in IE9 and Chrome 13 dev [and WebSockets in FF6]
[ => dev.security ] Honza Bambas wrote: > This seems to be something we are trying to solve with an opt-in > feature Http-Strict-Transport-Security (HSTS). What chrome and > IE are trying to do is to block insecure content on the client > side unconditionally. Not sure how much sites this gonna break, > but it is worth to check for what they are exactly doing. I > planned to do something similar a year ago, but I didn't find > much votes and it didn't seem to be a very high priority mainly > because we have HSTS that is more elegant. HSTS only recommends the blocking of mixed content; it doesn't require it. A website can block mixed content with CSP. But, the websites that have mixed content are probably not the ones making use of HSTS or CSP. We have also discussed blocking https+ws:// content completely in our WebSockets implementation, so that all WebSockets on a HTTPS page must be wss://. That way, we could avoid making mixed content problems any worse. - Brian ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Mixed HTTPS/non-HTTPS content in IE9 and Chrome 13 dev [and WebSockets in FF6]
On 5/31/2011 8:24 AM, Brian Smith wrote: We have also discussed blocking https+ws:// content completely in our WebSockets implementation, so that all WebSockets on a HTTPS page must be wss://. That way, we could avoid making mixed content problems any worse. Do you have a bug on file for that yet? --Chris ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Mixed HTTPS/non-HTTPS content in IE9 and Chrome 13 dev [and WebSockets in FF6]
On Tue, May 31, 2011 at 10:25 AM, Christopher Blizzard wrote: > On 5/31/2011 8:24 AM, Brian Smith wrote: >> >> We have also discussed blocking https+ws:// content completely in our >> WebSockets implementation, so that all WebSockets on a HTTPS page must be >> wss://. That way, we could avoid making mixed content problems any worse. > > Do you have a bug on file for that yet? If you'd be willing to file a bug at bugs.webkit.org too (and CC me), I can help make sure WebKit and Firefox end up with the same behavior here. Thanks, Adam ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
