This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
At some point we should require disallowing http from https for certain types of requests (or maybe all at some point). This would also require knowing what type of resource was requested, which ties into CSP content categories (or some such).
It seems Mike is going to do this.
Yes. Mike is putting a spec together. Should have something for review next weekish.
I've put up a draft mixed content spec for review. On the assumption that it's not completely insane, I'd appreciate it if you could take a close look at the proposed modifications to Fetch: https://w3c.github.io/webappsec/specs/mixedcontent/#fetch-integration Anne, does that look like the right division of labor between the documents?
Yeah, I guess I'll take this bug back to implement the requested hooks once we agree on the details per list discussion: http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0004.html
Placeholder hooks added: https://github.com/whatwg/fetch/commit/f04393aa9815dd6dce350d5d058f2bac9c4d606c
Assigning to Mike as I still need a hook for CSP. Hooks were improved as part of these commits yesterday: https://github.com/whatwg/fetch/commit/682f68d5f0cce7f9637a8f6d9450b514ed276f9b https://github.com/whatwg/fetch/commit/567fe8ad5f1804efdefa7aa273f2a366b223c70e
What's the ETA on CSP getting fixed?
https://github.com/w3c/webappsec/issues/227