-
Notifications
You must be signed in to change notification settings - Fork 4
/
954.txt
108 lines (78 loc) · 4.83 KB
/
954.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
[8] [[Web]] における[DFN[[RUBYB[[[混合内容]]]@en[mixed content]]]]とは、
[[HTTPS]] の[[文書]]から参照される [[HTTP]] の[[スクリプト]]のように、
[[安全]]な[[プロトコル]]によってもたらされた文書に含まれる[[安全]]でない[[プロトコル]]由来のデータのことをいいます。
* 定義
[9]
>A [[Web page]] is called [DFN[[[mixed content]]]] if the [[top-level resource]] was retrieved through a [[strongly TLS protected HTTP transaction]], but some dependent [[resources]] were [[retrieved]] through a [[weakly protected]] or [[unprotected HTTP transaction]].
;; [CITE[Web Security Context: User Interface Guidelines]] ([TIME[2010-08-04 20:09:50 +09:00]] 版) <http://www.w3.org/TR/2010/REC-wsc-ui-20100812/#def-mixed-content>
* 関連
[10] [[SGML]] の[[内容モデル]]における[[混合内容]]とは関係ありません。
* 歴史
[6] [CITE[Web Security Context: User Interface Guidelines]]
( ([TIME[2010-08-04 11:09:50 +09:00]] 版))
<http://www.w3.org/TR/wsc-ui/#def-mixed-content>
[7] [CITE@en[RFC 6797 - HTTP Strict Transport Security (HSTS)]]
( ([TIME[2014-06-02 05:16:10 +09:00]] 版))
<http://tools.ietf.org/html/rfc6797#section-2.3.1.3>
[1] [CITE@en[Mixed Content]]
( ([TIME[2014-05-30 17:48:27 +09:00]] 版))
<http://projects.mikewest.org/webappsec/specs/mixedcontent/>
[2] [CITE[webappsec/specs/mixedcontent at master · w3c/webappsec]]
( ([TIME[2014-05-31 02:44:56 +09:00]] 版))
<https://github.com/w3c/webappsec/tree/master/specs/mixedcontent>
[3] [CITE@en[Mixed Content]]
( ([TIME[2014-05-30 17:53:42 +09:00]] 版))
<https://w3c.github.io/webappsec/specs/mixedcontent/>
[4] [CITE[Add Mixed Content hook placeholders. Broaden placeholder CSP hook. · f04393a · whatwg/fetch]]
( ([TIME[2014-06-03 03:25:57 +09:00]] 版))
<https://github.com/whatwg/fetch/commit/f04393aa9815dd6dce350d5d058f2bac9c4d606c>
[5] [CITE@en[Bug 22262 – Mixed content / CSP]]
( ([TIME[2014-06-03 03:27:39 +09:00]] 版))
<https://www.w3.org/Bugs/Public/show_bug.cgi?id=22262>
[11] [CITE@en[RFC 6797 - HTTP Strict Transport Security (HSTS)]]
( ([TIME[2014-06-02 05:16:10 +09:00]] 版))
<http://tools.ietf.org/html/rfc6797#section-12.4>
[12] [CITE[Clarify MIX and CSP hooks a bit · 682f68d · whatwg/fetch]]
( ([TIME[2014-06-16 03:02:08 +09:00]] 版))
<https://github.com/whatwg/fetch/commit/682f68d5f0cce7f9637a8f6d9450b514ed276f9b>
[13] [CITE[Put MIX/CSP hooks in switch. Put second MIX check before tainting. · 567fe8a · whatwg/fetch]]
( ([TIME[2014-06-16 03:05:48 +09:00]] 版))
<https://github.com/whatwg/fetch/commit/567fe8ad5f1804efdefa7aa273f2a366b223c70e>
[14] [CITE@en[Mixed Content]]
( ([TIME[2014-07-17 21:32:22 +09:00]] 版))
<http://www.w3.org/TR/2014/WD-mixed-content-20140722/>
[15] [CITE@en[Mixed Content]]
( ([TIME[2014-09-15 23:45:04 +09:00]] 版))
<http://www.w3.org/TR/2014/WD-mixed-content-20140916/>
[16] [CITE@en[Mixed Content]]
( ([TIME[2014-11-13 02:58:19 +09:00]] 版))
<http://www.w3.org/TR/2014/WD-mixed-content-20141113/>
[17] [CITE@en[MIX: Walk the ancestor tree for powerful features. · 8d8d201 · w3c/webappsec]]
( ([TIME[2014-11-21 21:02:00 +09:00]] 版))
<https://github.com/w3c/webappsec/commit/8d8d201a571896267b229e9be0bd5cab222d67a2>
[18] [CITE@en[Fix the order of CSP, HSTS, Mixed Content, and Referrer https://www.w3.o... · b8c2c49 · whatwg/fetch]]
([TIME[2015-01-28 18:20:44 +09:00]] 版)
<https://github.com/whatwg/fetch/commit/b8c2c4964c233cd3616042c04e2c14e0ff25485d>
[19] [CITE@en[Mixed Content]]
( ([TIME[2015-03-13 06:25:45 +09:00]] 版))
<http://www.w3.org/TR/2015/CR-mixed-content-20150317/>
[20] [CITE[Part2 - browsersec - Browser Security Handbook, part 2 - Browser Security Handbook - Google Project Hosting]]
([TIME[2015-03-31 16:49:53 +09:00]] 版)
<https://code.google.com/p/browsersec/wiki/Part2#Protocol-level_encryption_facilities>
[21] [CITE@en[Re: Fetch, MSE, and MIX]]
([[Matthew Wolenetz]] 著, [TIME[2015-04-11 07:24:15 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0093.html>
[22] [CITE@en[Re: ''''''[''''''MIX'''''']'''''' Modifications to script APIs]]
([[Anne van Kesteren]] 著, [TIME[2014-10-31 16:55:54 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2014Oct/0228.html>
[23] [CITE@en[Bug 28577 – ''''''[''''''XMLHttpRequest'''''']'''''' Throwing SecurityError on open() call for some kind of simple errors]]
([TIME[2015-05-06 16:40:03 +09:00]] 版)
<https://www.w3.org/Bugs/Public/show_bug.cgi?id=28577>
[FIG(quote)[
[FIGCAPTION[
[24] [CITE@en-GB-x-hixie[HTML Standard]]
([TIME[2015-05-06 10:42:35 +09:00]] 版)
<https://html.spec.whatwg.org/#dom-websocket>
]FIGCAPTION]
> If secure is false but the origin specified by the entry settings object has a scheme component that is itself a secure protocol, e.g. HTTPS, then throw a SecurityError exception and abort these steps.
]FIG]