Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Mixed HTTPS/non-HTTPS content in IE9 and Chrome 13 dev

100 views
Skip to first unread message

Jean-Marc Desperrier

unread,
May 18, 2011, 9:17:38 AM5/18/11
to mozilla-dev...@lists.mozilla.org
Brian Smith wrote:
> See https://twitter.com/#!/scarybeasts/status/69138114794360832:
> "Chrome 13 dev channel now blocks certain types of mixed content by
> default (script, CSS, plug-ins). Let me know of any significant
> breakages."
>
> See
> https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/woodgrove.htm
> IE9: http://tinypic.com/view.php?pic=11qlnhy&s=7
> Chrome: http://tinypic.com/view.php?pic=oa4v3n&s=7
>
> IE9 blocks all mixed content by default, and allows the user to
> reload the page with the mixed content by pushing a button on its
> doorhanger (at the bottom of the window in IE).
>
> Notice that Chrome shows the scary crossed-out HTTPS in the address
> bar.

This is actually much more a suject for the .security group, Brian.

Adam Barth

unread,
May 18, 2011, 2:45:47 PM5/18/11
to dev-se...@lists.mozilla.org
[-dev-tech-crypto]

We tried aggressively blocking active mixed content by default in the
Chrome Dev channel, but too much broke. We're going to unblock it
again and try to find some middle road.

Here's the bug tracking this issue:
http://code.google.com/p/chromium/issues/detail?id=81637

Adam

Adam Barth

unread,
May 18, 2011, 3:27:12 PM5/18/11
to Eddy Nigg, mozilla-de...@lists.mozilla.org
On Wed, May 18, 2011 at 12:04 PM, Eddy Nigg <eddy...@startcom.org> wrote:
> On 05/18/2011 09:45 PM, From Adam Barth:

>> We tried aggressively blocking active mixed content by default in the
>> Chrome Dev channel, but too much broke.  We're going to unblock it
>> again and try to find some middle road.
>
> That's a shame and very regrettable. Together with IE9 you could have made a
> difference in order to pull over other browser vendors to do the same, which
> in turn would have put the pressure elsewhere (those that provide stuff to
> embed with their sites).

Indeed, which is why we experimented with a hard block. Our plan is
to move in smaller steps, hopefully in coordination with other browser
vendors.

> IMO, mixed content breaks the security and concept entirely.

Not entirely, but often.

Adam

Christopher Blizzard

unread,
May 18, 2011, 4:00:01 PM5/18/11
to Adam Barth, Eddy Nigg, mozilla-de...@lists.mozilla.org
On 5/18/2011 12:27 PM, Adam Barth wrote:
> Indeed, which is why we experimented with a hard block. Our plan is
> to move in smaller steps, hopefully in coordination with other browser
> vendors.
>

Pick a date/release. We haven't talked about it, but we might game for
that kind of action. (It's hard to break things on your own. :P)

--Chris

Adam Barth

unread,
Jun 16, 2011, 4:42:08 PM6/16/11
to Christopher Blizzard, Chris Evans, mozilla-de...@lists.mozilla.org

To update this thread, here's a blog post describing what we're
planning on doing:

http://googleonlinesecurity.blogspot.com/2011/06/trying-to-end-mixed-scripting.html

We backed away from a hard block because too many sites broke. The
current plan is block + infobar + evangelism for active content
(script, plug-ins, CSS). If the evangelism goes well, we hope to move
to harder blocks in the future.

If Firefox does something similar, we'll probably have a greater
chance of moving to a more secure default in the future.

Thanks,
Adam

0 new messages