[ => dev.security ] Honza Bambas wrote: > This seems to be something we are trying to solve with an opt-in > feature Http-Strict-Transport-Security (HSTS). What chrome and > IE are trying to do is to block insecure content on the client > side unconditionally. Not sure how much sites this gonna break, > but it is worth to check for what they are exactly doing. I > planned to do something similar a year ago, but I didn't find > much votes and it didn't seem to be a very high priority mainly > because we have HSTS that is more elegant.
HSTS only recommends the blocking of mixed content; it doesn't require it. A website can block mixed content with CSP. But, the websites that have mixed content are probably not the ones making use of HSTS or CSP. We have also discussed blocking https+ws:// content completely in our WebSockets implementation, so that all WebSockets on a HTTPS page must be wss://. That way, we could avoid making mixed content problems any worse. - Brian _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
