On 7/23/2013 6:34 AM, Nicholas Wilson wrote: > I think having uniformity here is clearly helpful. I do recognise that > the WebSocket API spec requires mixed-content connections to be > blocked, but there might still be room for discussion on the benefits > of it, especially while you're adjusting the model for XHR at the same > time. > > Without this change, we're going to have to release our product with > long polling in Firefox just because we can't create a WebSocket!
Uniformity is indeed important. Are you implying that some other browser is NOT blocking mixed-content WebSockets? Why is it only Firefox where you have to do long polling? If so we can take that information back to the standards body and discuss changing the spec (which is probably where this conversation should happen). > The second request is a bigger discussion: I think we need a fuller, > proper way to allow mixed-content XHR/WebSocket. Not all mixed-content > requests, just some. I recognise the value that browsers provide to > website developers flagging up when their site is misconfigured, and > we want these warnings to be on by default. I do want to recognize this as a separate point and don't want it to get buried. Leaving WebSockets aside is it appropriate to treat data connections as "active" content rather than "passive" content. What do IE and Chrome (who both block mixed active content) do with XHR? > I tentatively suggest a new header: "Access-Control-Security: > externally-verifiable" (or anything similar). That's worth considering. > On a related note, in #662692, Brian Smith said "IMO, the SSH example > is better off using mozTCPSocket" I'm not sure about that; while it's > clearly great for chrome-context code or browser extensions, I still > don't see how Mozilla could open this up to the webpages more > generally. I don't either. AFAIK the mozTCPSocket API is going to be restricted to chrome-privileged add-ons and "Privileged" Firefox OS apps. It's not a solution for web pages, WebSockets was supposed to be that solution. -Dan Veditz
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
