Closed Bug 1133712 Opened 11 years ago Closed 10 years ago

Block all Mixed Content for HSTS domains

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: annevk, Unassigned)

References

(Blocks 1 open bug)

Details

Internet Explorer plans on blocking all mixed content for HSTS domains: http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx If that is feasible it seems preferable to sometimes changing the UI and confusing the end user.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Reopening as this is slightly different than bug 800098. Bug 800098 is about removing the user override in HSTS pages. I believe this bug is about treating optionally blockable content as blockable on HSTS pages.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
This bug does not accurately reflect the IE team's plans. "Mixed content – We do allow audio/video in the mixed mode scenario as it applies to HSTS." http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx#10594412 I vote WONTFIX, it'll just be a reason for people to regret having used HSTS.
Agreed that would make the proposition far less attractive.
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → WONTFIX
I just commented on the IE blog as I'd like some clarification from them either way.
(In reply to Tanvi Vyas [:tanvi] from comment #5) > I just commented on the IE blog as I'd like some clarification from them > either way. Mixed active content will be blocked on HSTS pages without a user override. http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx?CommentPosted=true#10597765
You need to log in before you can comment on or make changes to this bug.