Thanks Tanvi, I'd like to wake up this thread a bit. I've just filed https://bugzilla.mozilla.org/show_bug.cgi?id=924957 and attached a patch which implements the behaviour I'd like to see, and which I described earlier on this list. The reception was cautiously positive. Now I've got round to cleaning up the code, I'm hoping to get some concrete feedback on the approach.
I'm trying very carefully to minimize the impact of the changes, to increase the chance it'll actually be accepted cross-browser. I asked the WHATWG list for feedback (http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2013-October/040972.html) and didn't get much, but I am hopeful the tweak I'm suggesting here will be acceptable to everyone. One of Firefox or Chrome has to agree to change their approach to bring uniformity! Accepting the patch is basically a blocker for us to port our Chrome VNC Viewer to Firefox. Another thread on this list popped up last month from another developer who needs the ability to run peer-to-peer WebSocket connections from a secure page ("Security error when trying to set a non SSL/TLS Websocket from a https page"), so we're clearly not the only people trying to port desktop application to Firefox as webapps and running into this problem. Best, Nicholas ----- Nicholas Wilson: nicho...@nicholaswilson.me.uk On 14 August 2013 00:04, Tanvi Vyas <ta...@mozilla.com> wrote: > Just want to add a few notes here. > > Firefox has blocked Mixed Content websockets for a long time; this is > enforced in the websockets code itself. Because of this, the new Mixed > Content Blocker code returns early when it see's a websocket request - > http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsMixedContentBlocker.cpp#249. > Hence, MCB has punted to the websocket code to make decisions about what to > allow/deny. > > Firefox and Chrome's definition of Mixed Active Content differs in 3 main > ways. Firefox treats mixed iframes, xhr, and fonts as active content. In > Chrome 30, mixed iframes will move to the active category (you can test this > out in the current Chrome Canary). Chrome is also planning to move mixed > xhr to the active category soon (but I don't know exactly when). When this > happens, the only difference in our implementations will be mixed content > fonts. External fonts are not that common and mixed content fonts don't > break the web since browsers will just fall back to the default, so I'm not > too worried about this. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
