Hello, security-dev@!Currently, we treat plugin-initiated requests as "optionally-blockable" mixed content, in violation of the mixed content specification. We do this mostly because we can't easily distinguish between "safe" plugin-initiated requests (for images), and super-dangerous plugin-initiated requests (for SWFs to include): everything comes through the Pepper subresource loading code as "plugin content". We've been erring on the side of allowing the content, but I believe we need to change that. In particular, allowing insecure SWF content to infiltrate an otherwise secure context is bad (especially when users have opted to allow Flash out of it's tight sandbox).Given that mixed content plugin-initiated requests occur on something like 0.1% of page views[1], it's likely to break things out there on The Internets if we begin blocking these requests outright. I'd like to ease into things by setting up a field trial to begin ramping our way up to blocking plugin-initiated mixed content requests entirely.WDYT, of the approach?-mike
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Sounds like a hole well worth plugging. What would the "field trial" amount to?
+tanvi
Regarding Justin's point about people being able to override with the
Shield Page Action: Is that still going away, or...?