This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 22262 - Mixed content / CSP
Summary: Mixed content / CSP
Status: RESOLVED MOVED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: Fetch (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal
Target Milestone: Unsorted
Assignee: Anne
QA Contact: sideshowbarker+fetchspec
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-04 15:51 UTC by Anne
Modified: 2015-08-11 06:49 UTC (History)
3 users (show)

See Also:


Attachments

Description Anne 2013-06-04 15:51:48 UTC
At some point we should require disallowing http from https for certain types of requests (or maybe all at some point).

This would also require knowing what type of resource was requested, which ties into CSP content categories (or some such).
Comment 1 Anne 2014-05-19 10:48:44 UTC
It seems Mike is going to do this.
Comment 2 Mike West 2014-05-19 10:52:21 UTC
Yes. Mike is putting a spec together. Should have something for review next weekish.
Comment 3 Mike West 2014-06-01 09:53:30 UTC
I've put up a draft mixed content spec for review. On the assumption that it's not completely insane, I'd appreciate it if you could take a close look at the proposed modifications to Fetch: https://w3c.github.io/webappsec/specs/mixedcontent/#fetch-integration

Anne, does that look like the right division of labor between the documents?
Comment 4 Anne 2014-06-02 10:40:15 UTC
Yeah, I guess I'll take this bug back to implement the requested hooks once we agree on the details per list discussion: http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0004.html
Comment 6 Anne 2014-06-13 09:47:42 UTC
Assigning to Mike as I still need a hook for CSP.

Hooks were improved as part of these commits yesterday:

https://github.com/whatwg/fetch/commit/682f68d5f0cce7f9637a8f6d9450b514ed276f9b
https://github.com/whatwg/fetch/commit/567fe8ad5f1804efdefa7aa273f2a366b223c70e
Comment 7 Anne 2015-06-11 09:59:29 UTC
What's the ETA on CSP getting fixed?