-
Notifications
You must be signed in to change notification settings - Fork 4
/
954.txt
204 lines (152 loc) · 9.25 KB
/
954.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
[8] [[Web]] における[DFN[[RUBYB[[[混合内容]]]@en[mixed content]]]]とは、
[[HTTPS]] の[[文書]]から参照される [[HTTP]] の[[スクリプト]]のように、
[[安全]]な[[プロトコル]]によってもたらされた文書に含まれる[[安全]]でない[[プロトコル]]由来のデータのことをいいます。
* 仕様書
[REFS[
- [25] '''[CITE@en[Mixed Content]] ([TIME[2015-05-17 18:30:14 +09:00]] 版) <https://w3c.github.io/webappsec/specs/mixedcontent/>'''
- [26] [CITE@en-GB-x-hixie[HTML Standard]] ([TIME[2015-05-06 10:42:35 +09:00]] 版) <https://html.spec.whatwg.org/#dom-websocket>
]REFS]
* 適用対象
[FIG(short list)[
- [[Fetch]]
- [[WebSocket]] [SRC[>>26, >>25]]
]FIG]
* 関連
[10] [[SGML]] の[[内容モデル]]における[[混合内容]]とは関係ありません。
* 歴史
[9]
>A [[Web page]] is called [DFN[[[mixed content]]]] if the [[top-level resource]] was retrieved through a [[strongly TLS protected HTTP transaction]], but some dependent [[resources]] were [[retrieved]] through a [[weakly protected]] or [[unprotected HTTP transaction]].
;; [CITE[Web Security Context: User Interface Guidelines]] ([TIME[2010-08-04 20:09:50 +09:00]] 版) <http://www.w3.org/TR/2010/REC-wsc-ui-20100812/#def-mixed-content>
[6] [CITE[Web Security Context: User Interface Guidelines]]
( ([TIME[2010-08-04 11:09:50 +09:00]] 版))
<http://www.w3.org/TR/wsc-ui/#def-mixed-content>
[7] [CITE@en[RFC 6797 - HTTP Strict Transport Security (HSTS)]]
( ([TIME[2014-06-02 05:16:10 +09:00]] 版))
<http://tools.ietf.org/html/rfc6797#section-2.3.1.3>
[1] [CITE@en[Mixed Content]]
( ([TIME[2014-05-30 17:48:27 +09:00]] 版))
<http://projects.mikewest.org/webappsec/specs/mixedcontent/>
[2] [CITE[webappsec/specs/mixedcontent at master · w3c/webappsec]]
( ([TIME[2014-05-31 02:44:56 +09:00]] 版))
<https://github.com/w3c/webappsec/tree/master/specs/mixedcontent>
[3] [CITE@en[Mixed Content]]
( ([TIME[2014-05-30 17:53:42 +09:00]] 版))
<https://w3c.github.io/webappsec/specs/mixedcontent/>
[4] [CITE[Add Mixed Content hook placeholders. Broaden placeholder CSP hook. · f04393a · whatwg/fetch]]
( ([TIME[2014-06-03 03:25:57 +09:00]] 版))
<https://github.com/whatwg/fetch/commit/f04393aa9815dd6dce350d5d058f2bac9c4d606c>
[5] [CITE@en[Bug 22262 – Mixed content / CSP]]
( ([TIME[2014-06-03 03:27:39 +09:00]] 版))
<https://www.w3.org/Bugs/Public/show_bug.cgi?id=22262>
[11] [CITE@en[RFC 6797 - HTTP Strict Transport Security (HSTS)]]
( ([TIME[2014-06-02 05:16:10 +09:00]] 版))
<http://tools.ietf.org/html/rfc6797#section-12.4>
[12] [CITE[Clarify MIX and CSP hooks a bit · 682f68d · whatwg/fetch]]
( ([TIME[2014-06-16 03:02:08 +09:00]] 版))
<https://github.com/whatwg/fetch/commit/682f68d5f0cce7f9637a8f6d9450b514ed276f9b>
[13] [CITE[Put MIX/CSP hooks in switch. Put second MIX check before tainting. · 567fe8a · whatwg/fetch]]
( ([TIME[2014-06-16 03:05:48 +09:00]] 版))
<https://github.com/whatwg/fetch/commit/567fe8ad5f1804efdefa7aa273f2a366b223c70e>
[14] [CITE@en[Mixed Content]]
( ([TIME[2014-07-17 21:32:22 +09:00]] 版))
<http://www.w3.org/TR/2014/WD-mixed-content-20140722/>
[15] [CITE@en[Mixed Content]]
( ([TIME[2014-09-15 23:45:04 +09:00]] 版))
<http://www.w3.org/TR/2014/WD-mixed-content-20140916/>
[16] [CITE@en[Mixed Content]]
( ([TIME[2014-11-13 02:58:19 +09:00]] 版))
<http://www.w3.org/TR/2014/WD-mixed-content-20141113/>
[17] [CITE@en[MIX: Walk the ancestor tree for powerful features. · 8d8d201 · w3c/webappsec]]
( ([TIME[2014-11-21 21:02:00 +09:00]] 版))
<https://github.com/w3c/webappsec/commit/8d8d201a571896267b229e9be0bd5cab222d67a2>
[18] [CITE@en[Fix the order of CSP, HSTS, Mixed Content, and Referrer https://www.w3.o... · b8c2c49 · whatwg/fetch]]
([TIME[2015-01-28 18:20:44 +09:00]] 版)
<https://github.com/whatwg/fetch/commit/b8c2c4964c233cd3616042c04e2c14e0ff25485d>
[19] [CITE@en[Mixed Content]]
( ([TIME[2015-03-13 06:25:45 +09:00]] 版))
<http://www.w3.org/TR/2015/CR-mixed-content-20150317/>
[20] [CITE[Part2 - browsersec - Browser Security Handbook, part 2 - Browser Security Handbook - Google Project Hosting]]
([TIME[2015-03-31 16:49:53 +09:00]] 版)
<https://code.google.com/p/browsersec/wiki/Part2#Protocol-level_encryption_facilities>
[21] [CITE@en[Re: Fetch, MSE, and MIX]]
([[Matthew Wolenetz]] 著, [TIME[2015-04-11 07:24:15 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0093.html>
[22] [CITE@en[Re: ''''''[''''''MIX'''''']'''''' Modifications to script APIs]]
([[Anne van Kesteren]] 著, [TIME[2014-10-31 16:55:54 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2014Oct/0228.html>
[23] [CITE@en[Bug 28577 – ''''''[''''''XMLHttpRequest'''''']'''''' Throwing SecurityError on open() call for some kind of simple errors]]
([TIME[2015-05-06 16:40:03 +09:00]] 版)
<https://www.w3.org/Bugs/Public/show_bug.cgi?id=28577>
[FIG(quote)[
[FIGCAPTION[
[24] [CITE@en-GB-x-hixie[HTML Standard]]
([TIME[2015-05-06 10:42:35 +09:00]] 版)
<https://html.spec.whatwg.org/#dom-websocket>
]FIGCAPTION]
> If secure is false but the origin specified by the entry settings object has a scheme component that is itself a secure protocol, e.g. HTTPS, then throw a SecurityError exception and abort these steps.
]FIG]
[27] [CITE@en[MIX: Clarify mixed content "resources" vs "requests". · w3c/webappsec@8732a84]]
([TIME[2015-06-23 12:29:02 +09:00]] 版)
<https://github.com/w3c/webappsec/commit/8732a8402ba535dc7ab05423fec251f8ceb5c8bd>
[28] [CITE@en[MIX: Explicitly update WSC-UI's 'mixed content' definition (h/t @equa… · w3c/webappsec@d9d8246]]
([TIME[2015-06-23 12:29:20 +09:00]] 版)
<https://github.com/w3c/webappsec/commit/d9d8246bf985bcfe78d02dfb6d0c1be6ccb3b56a>
[29] [CITE@en[MIX: Cite a source for the IE4 note. · w3c/webappsec@9b1690c]]
([TIME[2015-06-23 12:29:42 +09:00]] 版)
<https://github.com/w3c/webappsec/commit/9b1690c0432e0320fa861c89ced452bbaf45a5ed>
[30] [CITE@ja-JP[PRB: Security Warning Message Occurs When You Browse to a Page That Contains an IFRAME Through SSL]]
([TIME[2015-06-23 12:30:12 +09:00]] 版)
<https://support2.microsoft.com/default.aspx?scid=kb;EN-US;Q261188>
[31] [CITE@en[Eric Lawrence on Twitter: "@mikewest IE6-IE8 used a modal dialog box. http://t.co/fvK7RiZ9Pi implies that IE4/IE5 had the same. Sadly, I don't have any Win9x VMs."]]
([TIME[2015-06-23 12:30:23 +09:00]] 版)
<https://twitter.com/ericlaw/status/469813922908758016>
[32] [CITE@en[MIX: Clarify "mixed content" vs XML's term. · w3c/webappsec@528162c]]
([TIME[2015-06-23 12:32:01 +09:00]] 版)
<https://github.com/w3c/webappsec/commit/528162c3014ddd19cc6e04570fe19e57292ca0d1>
[FIG(quote)[
[FIGCAPTION[
[33] [CITE@en[RFC 6797 - HTTP Strict Transport Security (HSTS)]]
([TIME[2015-05-03 13:27:16 +09:00]] 版)
<http://tools.ietf.org/html/rfc6797#section-12.4>
]FIGCAPTION]
> "Mixed security context" loads happen when a web application
> resource, fetched by the UA over a secure transport, subsequently
> causes the fetching of one or more other resources without using
> secure transport. This is also generally referred to as "mixed
> content" loads (see Section 5.3 ("Mixed Content") in
> '''['''W3C.REC-wsc-ui-20100812''']''') but should not be confused with the same
> "mixed content" term that is also used in the context of markup
> languages such as XML and HTML.
> NOTE: In order to provide behavioral uniformity across UA
> implementations, the notion of mixed security context will
> require further standardization work, e.g., to define the
> term(s) more clearly and to define specific behaviors with
> respect to it.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[34] [CITE@en[Re: CSP2: Drop 'unsafe-redirect'.]]
([[Brian Smith]] 著, [TIME[2015-07-02 03:24:10 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Jul/0019.html>
]FIGCAPTION]
> When Firefox implemented mixed content blocking, Mozilla treated
> Mozilla-owned sites specially: We assumed that our coworkers would make the
> necessary changes before we shipped, after we helped them understand what
> was necessary, and so we didn't consider breaking any Mozilla site a risk
> for shipping. That strategy worked very well for us (IIRC).
]FIG]
[35] [CITE[Intent to Ship: Strict mixed content checking. - Google Groups]]
([TIME[2015-07-07 11:53:13 +09:00]] 版)
<https://groups.google.com/a/chromium.org/d/msg/blink-dev/MafYMJ3zQw0/DkZdADnS3hMJ>
[36] [CITE@en[MIX: First stab at SW integration. · w3c/webappsec@e577d4d]]
([TIME[2015-07-21 11:22:23 +09:00]] 版)
<https://github.com/w3c/webappsec/commit/e577d4d5746bd33248a7dd4dbe0db515c16f20fb>
[37] [CITE@en[MIX: Dropping the irrelevant CORS mode check from passthrough requests. · w3c/webappsec@72c2dba]]
([TIME[2015-09-07 12:50:28 +09:00]] 版)
<https://github.com/w3c/webappsec/commit/72c2dba9b871a577c2be24101d57f71b63240974>
[38] [CITE@en[MIX: Align 'should block response?' with Fetch. · w3c/webappsec@bbe52ec]]
([TIME[2015-09-07 12:52:06 +09:00]] 版)
<https://github.com/w3c/webappsec/commit/bbe52eca3e5c3b1c726b03c0363bf87bf4c66972>
[39] [CITE@en[MIX: Clarify blocking algorithm for passthrough requests. · w3c/webappsec@1d683bb]]
([TIME[2015-09-07 12:53:22 +09:00]] 版)
<https://github.com/w3c/webappsec/commit/1d683bb8e9e4c60b4e51f40299c5e634eb024170>