diff --git a/specs/mixedcontent/index.html b/specs/mixedcontent/index.html index b1169694..c88c40b4 100644 --- a/specs/mixedcontent/index.html +++ b/specs/mixedcontent/index.html @@ -154,7 +154,7 @@
http://example.com/image.png
is mixed
@@ -317,14 +316,6 @@ If a browsing context restricts mixed content, then user - agents MUST adhere to the following requirements when fetching - resources in response to its requests (including not only requests for a - Document’s subresources, but also requests made from - Workers, SharedWorkers, ServiceWorkers and so on):
+If a browsing context’s incumbent settings object restricts + mixed content, or the relevant settings object for a script + restricts mixed content, then user agents MUST adhere to the + following requirements when fetching resources in response to + requests (including not only requests for a Document’s + subresources, but also requests made from Workers, SharedWorkers, + ServiceWorkers and so on):
If the relevant settings object for a script script has a - responsible browsing context which restricts mixed content, - then user agents MUST adhere to the following requirements when executing - the following APIs in the context of script:
+If the relevant settings object for a script script + restricts mixed content, then user agents MUST adhere to the + following requirements when executing the following APIs in the context + of script:
If a browsing context restricts mixed content, then user - agents MAY choose to warn users of the presence of one or more - form elements with action attributes - whose values are insecure URLs.
+If a Document
's incumbent settings object restricts mixed
+ content, then user agents MAY choose to warn users of the presence of
+ one or more form elements with action
+ attributes whose values are insecure URLs.
Note: Chrome, for example, currently gives the same UI treatment to a page with an insecure form action as it does for a page that displays an insecure @@ -697,8 +697,9 @@
Given a browsing context context, the user agent - determines whether context - restricts mixed content - via the following algorithm, which returns true if - context restricts mixed content, and false - otherwise.
+Both documents and workers have environment settings objects which
+ may be examined according to the following algorithm in order to determine
+ whether they restrict
+ mixed content. This algorithm returns restricts mixed
+ content
or does not restrict mixed content
, as
+ appropriate.
Given an environment settings object settings:
authenticated
, then return restricts mixed
+ content.
authenticated
, then return restricts mixed
+ content.
+ context frame
type
.
- client
’s responsible browsing context.
- context frame type
is
@@ -902,12 +908,8 @@ Start using the TLS State
field whenever Fetch
- defines it.
Note: If a user agent is configured to reject weakly - TLS-protected resources, we’ll never hit this condition, as - step 6 of the Fetch - algorithm would have returned a network error. [FETCH]
-Note: This covers cases in which the TLS handshake succeeds, and the - resource exceeds the definition of weakly TLS-protected, but - the user agent chooses to hold it to a higher standard. The definition - of deprecated TLS-protection has some examples of these kinds - of scenarios.
+ If response’s authentication state is not +authenticated
, return blocked.
+
+Note: This covers both cases in which unauthenticated resources are + requested, as well as cases in which the TLS handshake succeeds, and + the resource exceeds the definition of weakly TLS-protected, + but the user agent chooses to hold it to a higher standard. The + definition of deprecated TLS-protection has some examples of + these kinds of scenarios.
SecurityError
exception.
+ object’s restricts mixed content, then throw a
+ SecurityError
exception.
TLS State
field whenever Fetch
- defines it. ↵ http://example.com/image.png
is mixed
@@ -173,14 +173,6 @@ restricts mixed
+ content
or does not restrict mixed content
, as
+ appropriate.
+
+ Given an environment settings object settings:
authenticated
, then return restricts mixed
+ content.
authenticated
, then return restricts mixed
+ content.
+ context frame
type
.
- client
's responsible browsing context.
- context frame type
is
@@ -765,12 +772,8 @@ TLS State
field whenever Fetch
- defines it.
- authenticated
, return blocked.
+
+ Note: This covers both cases in which unauthenticated resources are
+ requested, as well as cases in which the TLS handshake succeeds, and
+ the resource exceeds the definition of weakly TLS-protected,
+ but the user agent chooses to hold it to a higher standard. The
+ definition of deprecated TLS-protection has some examples of
+ these kinds of scenarios.
SecurityError
exception.
+ object's restricts mixed content, then throw a
+ SecurityError
exception.