Closed Bug 934508 Opened 11 years ago Closed 5 years ago

Create an override header for mixed content resources

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: michiel, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog]) 

The current mixed content rules (for which I can't even seem to find a spec or draft spec in an authorative place by googling for them) have locked down the internet far more than they should have, preventing people from linking to known, safe, but http-hosted resources. Not just javascript, but also almost always inert content like CSS files for the sake of security.

In order to give the internet back to users, instead of locking it down "for our own good", it would be extremely useful if there was an HTTP header that would allow specifying the mixed content policy, similar to the how access-control is handled right now. If servers can indicate how "safe" their https is, the browser could pick up on this and allow the users to make informed decisions on what they want to be exposed to, rather than having no choice in the matter.

As a first stab, a header like mixed-content-policy=allow for "all things are allowed", mixed-content-policy=no-active for "only allow static content" and mixed-content-policy=deny for "don't allow any http resources on this https connection", paired with a second header that allows domain overriding, such as mixed-content-allowed=* for "all all content from all domains", or a list of domains to allow overrides for specific, known domains that host content that are deemed safe enough to bypass the default policy.

Especially with the emergence of programs like khan academy, code academy, mozilla webmaker, and a plethora of other "learn ..." initialives, mixed content is the biggest hurdle in actually letting people explore and create the web, and it's the browsers that are keeping us back.

Let's get some control back =)
Blocks: MixedContentBlocker
Component: General → Security
OS: Windows 7 → All
Product: Firefox → Core
Hardware: x86_64 → All
Version: unspecified → Trunk
Component: Security → DOM: Security
Whiteboard: [domsecurity-backlog]

For your own experimentation there are preferences in Firefox that allow you to turn off the mixed-content blocker. But on the web in the wild mixed-content blocking is here to stay. The rise of free certificates from LetsEncrypt or even from some hosting companies makes this much less
painful to deploy, and HTTPS penetration is >80% worldwide, and higher in US/Europe.

It has been specified for a while (now, not when you first filed the bug): https://www.w3.org/TR/mixed-content/

Google is going even further and proposing blocking mixed passive content like images, and also experimenting with auto-upgrading (internally converting http: urls to https: before making the request) to fix old "broken (by mistake)" content.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.