23 июля 2014 г., в 17:08, Michael Catanzaro <mcatanz...@igalia.com> написал(а):
> One problem with these settings is that frames are treated as mixed > passive content rather than mixed active content. For the WebKitGTK+ API > I want frames to be treated as active content, which is what most major > browsers currently do. Thank you for the heads up! Can you elaborate on why this is desirable? A non-https frame always has a different origin, so it can't script the main frame. In other words, how is "active content" defined here? > I'm also planning to block mixed XMLHttpRequest and WebSocket > connections when allow-running-of-insecure-content is false. Same question, why? Cross origin XMLHttpRequest is different from cross origin scripts in that it takes quite a bit of effort to make it work, so it's not the same case of accidentally loading a subresource using http instead of https. - Alexey _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
