Closed Bug 1133712 Opened 9 years ago Closed 9 years ago

Block all Mixed Content for HSTS domains

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: annevk, Unassigned)

References

(Blocks 1 open bug)

Details

Internet Explorer plans on blocking all mixed content for HSTS domains: http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx

If that is feasible it seems preferable to sometimes changing the UI and confusing the end user.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Reopening as this is slightly different than bug 800098.

Bug 800098 is about removing the user override in HSTS pages.  I believe this bug is about treating optionally blockable content as blockable on HSTS pages.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
This bug does not accurately reflect the IE team's plans.

"Mixed content – We do allow audio/video in the mixed mode scenario as it applies to HSTS."

http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx#10594412

I vote WONTFIX, it'll just be a reason for people to regret having used HSTS.
Agreed that would make the proposition far less attractive.
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → WONTFIX
I just commented on the IE blog as I'd like some clarification from them either way.
(In reply to Tanvi Vyas [:tanvi] from comment #5)
> I just commented on the IE blog as I'd like some clarification from them
> either way.

Mixed active content will be blocked on HSTS pages without a user override.
http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx?CommentPosted=true#10597765
You need to log in before you can comment on or make changes to this bug.