On 5/18/2011 1:07 AM, Brian Smith wrote:
See https://twitter.com/#!/scarybeasts/status/69138114794360832: "Chrome 13 dev
channel now blocks certain types of mixed content by default (script, CSS, plug-ins). Let
me know of any significant breakages."
See https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/woodgrove.htm
IE9: http://tinypic.com/view.php?pic=11qlnhy&s=7
Chrome: http://tinypic.com/view.php?pic=oa4v3n&s=7
IE9 blocks all mixed content by default, and allows the user to reload the page
with the mixed content by pushing a button on its doorhanger (at the bottom of
the window in IE).
Notice that Chrome shows the scary crossed-out HTTPS in the address bar.
- Brian
This seems to be something we are trying to solve with an opt-in feature
Http-Strict-Transport-Security (HSTS). What chrome and IE are trying to
do is to block insecure content on the client side unconditionally. Not
sure how much sites this gonna break, but it is worth to check for what
they are exactly doing. I planned to do something similar a year ago,
but I didn't find much votes and it didn't seem to be a very high
priority mainly because we have HSTS that is more elegant.
-hb-
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
