Thanks Tanvi,
I'd like to wake up this thread a bit. I've just filed
https://bugzilla.mozilla.org/show_bug.cgi?id=924957 and attached a
patch which implements the behaviour I'd like to see, and which I
described earlier on this list. The reception was cautiously positive.
Now I've got round to
On 29 July 2013 17:47, Stefan Arentz sare...@mozilla.com wrote:
Can CSP play a role here?
What if my site is on https://foo.com and I set connect-src to http://foo.com
? Would that override the mixed content blocking? If not, is that something
we should implement?
Interesting idea. I'm
On 27 July 2013 02:18, Daniel Veditz dved...@mozilla.com wrote:
Uniformity is indeed important. Are you implying that some other browser
is NOT blocking mixed-content WebSockets? Why is it only Firefox where
you have to do long polling?
If so we can take that information back to the standards
Can CSP play a role here?
What if my site is on https://foo.com and I set connect-src to http://foo.com ?
Would that override the mixed content blocking? If not, is that something we
should implement?
Sent from my iPad
On 2013-07-29, at 12:21, Gervase Markham g...@mozilla.org wrote:
On
On 7/23/2013 6:34 AM, Nicholas Wilson wrote:
I think having uniformity here is clearly helpful. I do recognise that
the WebSocket API spec requires mixed-content connections to be
blocked, but there might still be room for discussion on the benefits
of it, especially while you're adjusting the
On 24 July 2013 17:22, Gervase Markham g...@mozilla.org wrote:
Have you considered giving the managed servers certs minted from a local
company CA, and trusting that root cert in the copies of Firefox? Or
does that not work either?
Gervase,
Thanks for that idea. We did try thinking through
On 23/07/13 14:34, Nicholas Wilson wrote:
created to enable exactly these sorts of use cases, surely! It's clear
though that the app has to be served over HTTPS. And, it makes
connections to WebSocket-enabled servers on your local network that
aren't on the wide internet, so it's infeasible to
Hello,
I'd like to ask about the possibility of changes to the way
mixed-content XHR and WebSockets are flagged up.
(I should start by saying that the new mixed-content blocker is great
and that tightening restrictions on these sorts of things is in
general excellent.)
Firstly, I think it's a