block-all-mixed-content is a CSP directive that causes Chrome to hard block all http resource loads on https sites. After the launch of autoupgrades for passive mixed content, the directive is a no-op since passive (image, video, and audio) mixed content is autoupgraded to https before block-all-mixed-content is evaluated (and fails to load if not available over https), and active mixed content is hard blocked by default. block-all-mixed content still has an effect when a user has allowlisted a site (using the "Insecure Content" site setting toggle) to allow mixed content, but that is a fairly niche use case (and it seems unlikely that sites are relying on that functionality). block-all-mixed-content was previously defined in the MIX spec, but was marked as obsolete when MIX and MIX2 were merged and the concept of autoupgrades was introduced. It is already marked as deprecated in MDN docs.
block-all-mixed content is already marked as obsolete in the Mixed Content spec, is a no-op in most cases, and removing it would simplify Chrome's mixed content handling code.
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
No milestones specified
block-all-mixed-content is a CSP directive that causes Chrome to hard block all http resource loads on https sites. After the launch of autoupgrades for passive mixed content, the directive is a no-op since passive (image, video, and audio) mixed content is autoupgraded to https before block-all-mixed-content is evaluated (and fails to load if not available over https), and active mixed content is hard blocked by default. block-all-mixed content still has an effect when a user has allowlisted a site (using the "Insecure Content" site setting toggle) to allow mixed content, but that is a fairly niche use case (and it seems unlikely that sites are relying on that functionality).
block-all-mixed-content was previously defined in the MIX spec, but was marked as obsolete when MIX and MIX2 were merged and the concept of autoupgrades was introduced. It is already marked as deprecated in MDN docs.
block-all-mixed content is already marked as obsolete in the Mixed Content spec, is a no-op in most cases, and removing it would simplify Chrome's mixed content handling code.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1a73276e-a3d4-45d3-b3fb-751f9edd6d09n%40chromium.org.
It sound like the user has already agreed to seeing "insecure" and possibly compromised content in that case, but it could absolutely make something worse.
Is there a use counter for how often a user demands to see an "insecure" page? That would act as an upper limit, and maybe it's already small enough. (Or maybe not).
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY_%3DHGk4vyuTMa72sRCAapQ3mYOknDDSQyB%3DgC6df2wY2A%40mail.gmail.com.
It sound like the user has already agreed to seeing "insecure" and possibly compromised content in that case, but it could absolutely make something worse.
Is there a use counter for how often a user demands to see an "insecure" page? That would act as an upper limit, and maybe it's already small enough. (Or maybe not).
/Daniel
On 2023-02-08 17:24, Rick Byers wrote:
It sounds like the only potential concern is a security one - where content previously blocked at the site's request was no longer blocked. Is that right? If so then I'd defer to security reviewers and approve from a web compat perspective without any metrics.
Rick
On Wed, Feb 8, 2023 at 10:01 AM Yoav Weiss <yoav...@chromium.org> wrote:
Any use counters for when it is used?
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABgKfVOkk%2BT%2BBCtRGjejUxYBhKqqvbGC1mPvdUg8DPVGM%3DaXQ%40mail.gmail.com.