This is actually much more a suject for the .security group, Brian.
We tried aggressively blocking active mixed content by default in the
Chrome Dev channel, but too much broke. We're going to unblock it
again and try to find some middle road.
Here's the bug tracking this issue:
http://code.google.com/p/chromium/issues/detail?id=81637
Adam
Indeed, which is why we experimented with a hard block. Our plan is
to move in smaller steps, hopefully in coordination with other browser
vendors.
> IMO, mixed content breaks the security and concept entirely.
Not entirely, but often.
Adam
Pick a date/release. We haven't talked about it, but we might game for
that kind of action. (It's hard to break things on your own. :P)
--Chris
To update this thread, here's a blog post describing what we're
planning on doing:
http://googleonlinesecurity.blogspot.com/2011/06/trying-to-end-mixed-scripting.html
We backed away from a hard block because too many sites broke. The
current plan is block + infobar + evangelism for active content
(script, plug-ins, CSS). If the evangelism goes well, we hope to move
to harder blocks in the future.
If Firefox does something similar, we'll probably have a greater
chance of moving to a more secure default in the future.
Thanks,
Adam