Intent to Implement: Autoupgrade Mixed Content (Experiment)

[carl...@chromium.org]

Contact emails carl...@chromium.org Summary This feature is an experiment (planned to be rolled to 1% of stable) to autoupgrade mixed content, different variations will be tested, one upgrading only blockable content, one upgrading only optionally blockable content, and one upgrading all mixed content. All of those will be tested without fallback (breaking the load if there is no version of the resource available over HTTPS), and with fallback to HTTP. Motivation The current UX for mixed content is not ideal (downgrading the security chip, or showing a shield for blockable content), we are trying to determine how feasible is it to autoupgrade mixed content and eliminate this UI, increasing user security and making the user experience better. Interoperability risk Firefox: Public Support Edge: Mixed Public Signals Safari: Public Support

Citations: https://lists.w3.org/Archives/Public/public-webappsec/2018Feb/0001.html

https://lists.w3.org/Archives/Public/public-webappsec/2017Oct/0017.html Web developers: No signals Compatibility risk

We expect the experiment to cause breakage in some sites, and plan to measure the breakage to make a decision as to whether a similar type of upgrade can be implemented as a separate feature. This will be mitigated by only being enabled for 1% of users. Ongoing technical constraints None Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? Yes or no. Yes

OWP launch tracking bug https://crbug.com/872446 Link to entry on the Chrome Platform Status https://www.chromestatus.com/features/5557268741357568 Requesting approval to ship?

No, will send a separate intent email before the experiment is enabled.

[Carlos IL]

[Yoav Weiss]

Thanks for working on this. Seems a worthwhile goal to experiment with!

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfX-ietwKTD5dnY5zKZ7424L35pAkFvtViyqa3me_QTDyA%40mail.gmail.com.

[laure...@gmail.com]

And if a non-techie user happens to be in that 1% and is faced with a broken site as a result -- perhaps one they seriously need to access -- their expected course of action is ... what?

--Lauren--

[Carlos IL]

Currently we are only running the experiment on Canary, which is not normally used by non-technically inclined users, and where some breakage is expected. We will only proceed with the experiment on Beta (and then stable), if the Canary results show that breakage is not significant/if outreach can correct for most of it.

--
You received this message because you are subscribed to a topic in the Google Groups "blink-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/blink-dev/ZJxkCJq5zo4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c9193deb-db5d-493c-9248-a761df85e961%40chromium.org.