Re: Mixed HTTPS/non-HTTPS content in IE9 and Chrome 13 dev
On 5/18/2011 1:07 AM, Brian Smith wrote: See https://twitter.com/#!/scarybeasts/status/69138114794360832: Chrome 13 dev channel now blocks certain types of mixed content by default (script, CSS, plug-ins). Let me know of any significant breakages. See https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/woodgrove.htm IE9: http://tinypic.com/view.php?pic=11qlnhys=7 Chrome: http://tinypic.com/view.php?pic=oa4v3ns=7 IE9 blocks all mixed content by default, and allows the user to reload the page with the mixed content by pushing a button on its doorhanger (at the bottom of the window in IE). Notice that Chrome shows the scary crossed-out HTTPS in the address bar. - Brian This seems to be something we are trying to solve with an opt-in feature Http-Strict-Transport-Security (HSTS). What chrome and IE are trying to do is to block insecure content on the client side unconditionally. Not sure how much sites this gonna break, but it is worth to check for what they are exactly doing. I planned to do something similar a year ago, but I didn't find much votes and it didn't seem to be a very high priority mainly because we have HSTS that is more elegant. -hb- -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Mixed HTTPS/non-HTTPS content in IE9 and Chrome 13 dev
On 18/05/2011 19:25, Brian Smith wrote: No, he meant dev.security I could have been more explicit. and he cross-posted and set the follow-up header on his message to point to that newsgroup. I agree that if there's any discussion, it can/should happen there. But my message ended up with an incorrect reply-to header, I don't why, I'm quite sure I didn't put it. This mail-news gateway is broken in a number of way (not least Message-ID that are not guaranteed to be the same in the ML and in newsgroups). -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Mixed HTTPS/non-HTTPS content in IE9 and Chrome 13 dev
Brian Smith wrote: See https://twitter.com/#!/scarybeasts/status/69138114794360832: Chrome 13 dev channel now blocks certain types of mixed content by default (script, CSS, plug-ins). Let me know of any significant breakages. See https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/woodgrove.htm IE9: http://tinypic.com/view.php?pic=11qlnhys=7 Chrome: http://tinypic.com/view.php?pic=oa4v3ns=7 IE9 blocks all mixed content by default, and allows the user to reload the page with the mixed content by pushing a button on its doorhanger (at the bottom of the window in IE). Notice that Chrome shows the scary crossed-out HTTPS in the address bar. This is actually much more a suject for the .security group, Brian. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Mixed HTTPS/non-HTTPS content in IE9 and Chrome 13 dev
You mean the private security group list? I'm curious why you say that. Generally we should discuss as much on public lists as possible, especially new features or changes to existing ones. Security group exists really just to discuss issues that we can't publicly, because doing so would put users at direct risk. Thanks! Lucas. On May 18, 2011, at 15:17, Jean-Marc Desperrier jmd...@gmail.com wrote: Brian Smith wrote: See https://twitter.com/#!/scarybeasts/status/69138114794360832: Chrome 13 dev channel now blocks certain types of mixed content by default (script, CSS, plug-ins). Let me know of any significant breakages. See https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/woodgrove.htm IE9: http://tinypic.com/view.php?pic=11qlnhys=7 Chrome: http://tinypic.com/view.php?pic=oa4v3ns=7 IE9 blocks all mixed content by default, and allows the user to reload the page with the mixed content by pushing a button on its doorhanger (at the bottom of the window in IE). Notice that Chrome shows the scary crossed-out HTTPS in the address bar. This is actually much more a suject for the .security group, Brian. ___ dev-security mailing list dev-secur...@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Mixed HTTPS/non-HTTPS content in IE9 and Chrome 13 dev
Lucas Adamski wrote: You mean the private security group list? No, he meant dev.security and he cross-posted and set the follow-up header on his message to point to that newsgroup. I agree that if there's any discussion, it can/should happen there. - Brian I'm curious why you say that. Generally we should discuss as much on public lists as possible, especially new features or changes to existing ones. Security group exists really just to discuss issues that we can't publicly, because doing so would put users at direct risk. Thanks! Lucas. On May 18, 2011, at 15:17, Jean-Marc Desperrier jmd...@gmail.com wrote: Brian Smith wrote: See https://twitter.com/#!/scarybeasts/status/69138114794360832: Chrome 13 dev channel now blocks certain types of mixed content by default (script, CSS, plug-ins). Let me know of any significant breakages. See https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/woodgrove.htm IE9: http://tinypic.com/view.php?pic=11qlnhys=7 Chrome: http://tinypic.com/view.php?pic=oa4v3ns=7 IE9 blocks all mixed content by default, and allows the user to reload the page with the mixed content by pushing a button on its doorhanger (at the bottom of the window in IE). Notice that Chrome shows the scary crossed-out HTTPS in the address bar. This is actually much more a suject for the .security group, Brian. ___ dev-security mailing list dev-secur...@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Mixed HTTPS/non-HTTPS content in IE9 and Chrome 13 dev
See https://twitter.com/#!/scarybeasts/status/69138114794360832: Chrome 13 dev channel now blocks certain types of mixed content by default (script, CSS, plug-ins). Let me know of any significant breakages. See https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/woodgrove.htm IE9: http://tinypic.com/view.php?pic=11qlnhys=7 Chrome: http://tinypic.com/view.php?pic=oa4v3ns=7 IE9 blocks all mixed content by default, and allows the user to reload the page with the mixed content by pushing a button on its doorhanger (at the bottom of the window in IE). Notice that Chrome shows the scary crossed-out HTTPS in the address bar. - Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto