Create an override header for mixed content resources




5 years ago
3 years ago


(Reporter: pomax, Unassigned)


(Blocks: 1 bug)


Firefox Tracking Flags

(Not tracked)


(Whiteboard: [domsecurity-backlog])



5 years ago
The current mixed content rules (for which I can't even seem to find a spec or draft spec in an authorative place by googling for them) have locked down the internet far more than they should have, preventing people from linking to known, safe, but http-hosted resources. Not just javascript, but also almost always inert content like CSS files for the sake of security.

In order to give the internet back to users, instead of locking it down "for our own good", it would be extremely useful if there was an HTTP header that would allow specifying the mixed content policy, similar to the how access-control is handled right now. If servers can indicate how "safe" their https is, the browser could pick up on this and allow the users to make informed decisions on what they want to be exposed to, rather than having no choice in the matter.

As a first stab, a header like mixed-content-policy=allow for "all things are allowed", mixed-content-policy=no-active for "only allow static content" and mixed-content-policy=deny for "don't allow any http resources on this https connection", paired with a second header that allows domain overriding, such as mixed-content-allowed=* for "all all content from all domains", or a list of domains to allow overrides for specific, known domains that host content that are deemed safe enough to bypass the default policy.

Especially with the emergence of programs like khan academy, code academy, mozilla webmaker, and a plethora of other "learn ..." initialives, mixed content is the biggest hurdle in actually letting people explore and create the web, and it's the browsers that are keeping us back.

Let's get some control back =)
Blocks: 815321
Component: General → Security
OS: Windows 7 → All
Product: Firefox → Core
Hardware: x86_64 → All
Version: unspecified → Trunk
Component: Security → DOM: Security
Whiteboard: [domsecurity-backlog]
You need to log in before you can comment on or make changes to this bug.