hi websec folks-- I am wondering what people think the proper intersection is between a web browser's mixed-content warnings and HSTS.
For example, if https://example.net has asserted Strict-Transport-Security: max-age=15768000 but the homepage at https://example.net/ also contains <img src="http://example.net/example.jpg"/> should an HSTS-compatible browser show its standard mixed-content warning even though it knows to rewrite that img src to https://example.net/example.jpg ? My intuition is that this shouldn't trigger the browser's mixed-content warning, but chromium 26.0.1410.43 does show it, and https://code.google.com/p/chromium/issues/detail?id=122548#c26 suggests that palmer@ and rsleevi@ think that is the correct behavior because they want: > to signal to the site author of an error - for example, if users which > did not have HSTS visited. I'm not sure how the author is supposed to get this signal from the site visitor's browser, though -- perhaps the expectation is that site visitors will independently report the "broken lock" to the site administrator? I also note that firefox 21.0 (when security.mixed_content.block_display_content = true) doesn't show the media at all, and when security.mixed_content.block_display_content = false it shows the image but removes the lock from the address bar (which i think is the equivalent of the "mixed content warning" these days). Do other folks have any thoughts about the right thing is to do here? --dkg
pgpXMH1_xGUQE.pgp
Description: PGP signature
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
![http://example.net/example.jpg"/](http://example.net/example.jpg"/){kind=link}
