Here is the first post to elaborate on my previous comment; later, I want to try to summarise the main discussion/decisions/commits on this, because it seems to be spread over too many places.
This post is to discuss what seems like a fundamental flaw in the current handling of mixed content. Can someone confirm that it is indeed flawed, or explain why it is not? Mixed content is where a page loaded over HTTPS makes a request over HTTP. Let us divide browsers into three types, based on how they handle mixed content. 1. Immediately block the HTTP request. 2. Handle the request normally, up to the point where it would be sent over the network, then if it is still HTTP, block it. 3. Handle the request normally. The higher the browser type is, the more likely it is to handle an HTTPS page correctly (that is, to avoid breaking the page). But the less likely it is to be secure. Currently, Firefox and Chrome offer a choice between being type 1 and type 3 (for Firefox, at least, it depends on whether it’s active or display content, but that’s irrelevant to this post). We’re trying to get them to be type 2 instead of type 1. But what would happen if we succeeded at that? With HTTPS Everywhere, the highest priority is to handle the page correctly; after that, we try to be secure. Sometimes we can do this on type 2 and type 3 browsers, but not on type 1 (all the required resources are available over HTTPS, if only the browser would let us rewrite the requests). And sometimes we can do this on type 3 browsers only (at least some required resources are available only over HTTP). In either case, we need a way of restricting when the rule applies. Here’s where I don’t fully understand how things work now. The best I can say is this: 1. We handle both cases by adding platform="mixedcontent" and restricting the rules to type 3 browsers. 2. If type 2 browsers became available, there would be no easy way of telling which rules should be enabled on those browsers, nor would there be any way of actually doing so (while keeping those rules disabled on type 1 browsers). -- Brian Drake All content created by me: Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 Brian Drake. All rights reserved. On Sat, Jan 18, 2014 at 0258 (UTC), Drake, Brian <[email protected]>wrote: > On Wed, Jan 15, 2014 at 0622 (UTC), Jacob Hoffman-Andrews < > [email protected]> wrote: > >> [snip] >> > > That’s a nice idea, but it’s still not clear how things work now, and I > think it’s fundamentally flawed anyway (that’s in addition to whatever > flaws the browsers have). I’m going to make a couple more posts today to > elaborate on this. > > [snip] > > -- > Brian Drake > > All content created by me: > Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 > Brian Drake. All rights reserved. >
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
