<div dir="ltr">Here is the first post to elaborate on my previous comment; later, I want to try to summarise the main discussion/decisions/commits on this, because it seems to be spread over too many places.<br><div><div class="gmail_extra">
<br></div><div class="gmail_extra">This post is to discuss what seems like a fundamental flaw in the current handling of mixed content. Can someone confirm that it is indeed flawed, or explain why it is not?<br></div><div class="gmail_extra">
<br></div><div class="gmail_extra">Mixed content is where a page loaded over HTTPS makes a request over HTTP. Let us divide browsers into three types, based on how they handle mixed content.<br></div><div class="gmail_extra">
<br></div><div class="gmail_extra">1. Immediately block the HTTP request.<br></div><div class="gmail_extra">2. Handle the request normally, up to the point where it would be sent over the network, then if it is still HTTP, block it.<br>
</div><div class="gmail_extra">3. Handle the request normally.<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">The higher the browser type is, the more likely it is to handle an HTTPS page correctly (that is, to avoid breaking the page). But the less likely it is to be secure.<br>
</div><div class="gmail_extra"><br></div><div class="gmail_extra">Currently, Firefox and Chrome offer a choice between being type 1 and type 3 (for Firefox, at least, it depends on whether it’s active or display content, but that’s irrelevant to this post). We’re trying to get them to be type 2 instead of type 1. But what would happen if we succeeded at that?<br>
<br></div><div class="gmail_extra">With HTTPS Everywhere, the highest priority is to handle the page correctly; after that, we try to be secure. Sometimes we can do this on type 2 and type 3 browsers, but not on type 1 (all the required resources are available over HTTPS, if only the browser would let us rewrite the requests). And sometimes we can do this on type 3 browsers only (at least some required resources are available only over HTTP).<br>
<br></div><div class="gmail_extra">In either case, we need a way of restricting when the rule applies. Here’s where I don’t fully understand how things work now. The best I can say is this:<br>1. We handle both cases by adding platform="mixedcontent" and restricting the rules to type 3 browsers.<br>
2. If type 2 browsers became available, there would be no easy way of telling which rules should be enabled on those browsers, nor would there be any way of actually doing so (while keeping those rules disabled on type 1 browsers).<br>
</div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div>--<br>Brian Drake<br><br>All content created by me: <a href="http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html" target="_blank">Copyright</a> © 2014 Brian Drake. All rights reserved.<br>
</div></div></div>
<br><div class="gmail_quote">On Sat, Jan 18, 2014 at 0258 (UTC), Drake, Brian <span dir="ltr"><<a href="mailto:brian@drakefamily.tk" target="_blank">brian@drakefamily.tk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">On Wed, Jan 15, 2014 at 0622 (UTC), Jacob Hoffman-Andrews <span dir="ltr"><<a href="mailto:jsha@newview.org" target="_blank">jsha@newview.org</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<div class="im">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>[snip]<br>
</div></blockquote><div> <br></div></div><div>That’s a nice idea, but it’s still not clear how things work now, and I think it’s fundamentally flawed anyway (that’s in addition to whatever flaws the browsers have). I’m going to make a couple more posts today to elaborate on this.<br>
</div><div class="gmail_extra"><div><br></div>[snip]</div></div></div><div class="im"><div class="gmail_extra"><br>--<br>Brian Drake<br><br>All content created by me: <a href="http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html" target="_blank">Copyright</a> © 2014 Brian Drake. All rights reserved.</div>
</div></div>
</blockquote></div></div></div></div>