-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What's the scope of mixed content tainting? #7
Comments
Tainting a whole origin like this sounds too severe to me FWIW. |
My rationale is that an application's state is tainted by mixed content through various channels: load/error, 2xx/error, image width, image height, and media duration. We don't know how those channels affect the user and therefore we should warn the user about them for the duration they remain in effect. Which matches the duration of storage. (This can get more severe if the user overrrides the default mixed content blocking (why we provide that option is unclear to me, is that still sanctioned by the standard?).) |
From a formal perspective, I agree with @annevk on that condition. By distinguishing the cause of the tainting we could help UX folks to deliver more valuable warnings. |
Does the loading content type follow through to workers in browser implementations? For example are we able to tell if they are mixed display/active loaded from a worker? I personally think we should treat workers as if Upgrade-Insecure-Requests is set for any request going through them. Would there be any concerns of doing this? It seems simpler than tainting all of an origin or tabs with workers attached. It also seems better than allowing these requests over insecure also. The only concern I can see is if these requests can block loading as upgrading an unsupported HTTPS page would cause a timeout. |
@jonathanKingston an HTTPS worker cannot fetch "mixed content". It also does not seem to be related to the concern listed in OP. |
After speaking on irc we clarified that w3c/ServiceWorker#813 won't ever happen and this issue is just scoped to leaking of info to the worker. |
No, it's about leakage of insecurely obtained data anywhere, including workers, storage, cookies, etc. That's why any mixed content violation should technically last until all eTLD+1 data is removed. |
I guess even then it could have ended up server side and affect your account more permanently... |
I think at this point, the goal is to kill mixed content entirely via the autoupgrade-or-block approach @estark37, et al, have suggested in MIX2. That seems like the right path forward. |
At the moment mixed content warnings are scoped to the document, but should it be wider than this?
Once I've loaded a mixed
<img>
I could communicate its size to other pages on the origin viaBroadcastChannel
. I could store this data and access it on future page loads.In w3c/ServiceWorker#813 (comment) @annevk suggests an origin should become mix-tainted and all future documents should carry the mix warning. The only way to reverse this would be to clear origin storage.
The text was updated successfully, but these errors were encountered: