On Tue, August 19, 2014 3:41 pm, fhw...@gmail.com wrote: > <html><head><meta http-equiv="Content-Type" content="text/plain;"><style> > body { font-family: "Calibri","Slate Pro","sans-serif"; color:#262626 > }</style> </head> <body data-blackberry-caret-color="#00a8df"><div>What > are the current rules or algorithms in place when dealing with some > mixture of http and https content in > Firefox? </div><div><br></div><div>A case I'm thinking about is a > drive-by download situation. If the main page is loaded âby https but > there are subsequent requests for files (images, js, css, fonts, iframes, > etc.) or Ajax calls to be made that are only http, will Firefox allow > them? Note that I don't care about the form cases where I load the form > html using https but submit the form data via http. I care about just the > files and content. </div><div><span style="font-family: Calibri, > 'Slate Pro', sans-serif;"><br name="BB10" caretmarkerset="INVALID" > class="markedForCaretMarkerRemoval"></span></div><div>Thanks in advance. > </div><div><br name="BB10" caretmarkerset="INVALID" > class="markedForCaretMarkerRemoval"></div><div></div></body></html> > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy >
I'm not sure which Mozilla list is more appropriate, but I suspect this isn't the one (there's likely a more specific one for networking/mixed content) That said, you may wish to check out https://w3c.github.io/webappsec/specs/mixedcontent/ , which is trying to document and spec exactly what the behaviour is and should be. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy