headers
Tanvi Vyas | 30 Jul 2012 23:00

Re: Mixed Content Across Browsers

Moving this to dev-security.

Also looks like Safari (which isn't included in my linked table) 
released Safari 6 last week.  This is what EV and SSL certs look like on 
Safari 6: http://cl.ly/image/1b1s0w1E2F2O.  Not sure if they handle the 
mixed content case.

On 7/23/12 5:53 PM, Tanvi Vyas wrote:
> Hey,
>
> I went through and observed the Mixed Content behavior or IE (since I 
> hadn't before) and have documented it here, along with Chrome's, 
> Firefox 14's, and Opera's behavior.  Please see this link for a table 
> with the details:
>
> https://www.evernote.com/shard/s200/sh/d057ce69-bf51-483a-9b13-8186a8f5fcef/f0bb8712965da0c8b21578146c6c0ff8
>
> Looking through this, I am glad that we are uniform with Opera and 
> Chrome on the globe and the lock icons.  I'd also like to unify the 
> Mixed Content Icons across browsers.  Looks like IE and Opera haven't 
> figured out how to solve that problem yet either.
>
> For our Mixed Content Blocker, we could include our "fix this/insecure 
> content" message at the bottom of the page (like IE does).  When 
> clicked, we could make an animation that takes the users eyes to the 
> https and lock icon.  We could cross out the https and change the 
> icon.  Instead of the animation, we could always just draw attention 
> to the icon and the crossed out https by flashing it or making it 
> bigger for a couple seconds.
>
(Continue reading)

Permalink | Reply |
headers
Tanvi Vyas | 3 Aug 2012 21:03

Re: Mixed Content Across Browsers

Chrome 21 has changed their mixed script blocking UI: 
http://blog.chromium.org/2012/08/ending-mixed-scripting-vulnerabilities.html

Now they use a shield in the URL Bar, which reminds me of IE's rendering 
mode icon in their url bar.  One of the ideas Asa proposed was to create 
a similar broken/fix icon similar to IEs for Firefox's blocking mechanism.

Perhaps this means that the number of sites that have mixed script 
content issues has reduced to a point where we don't need to interrupt 
the user.  But I don't have any concrete data to support that.

~Tanvi

On 7/30/12 2:00 PM, Tanvi Vyas wrote:
> Moving this to dev-security.
>
> Also looks like Safari (which isn't included in my linked table) 
> released Safari 6 last week.  This is what EV and SSL certs look like 
> on Safari 6: http://cl.ly/image/1b1s0w1E2F2O. Not sure if they handle 
> the mixed content case.
>
> On 7/23/12 5:53 PM, Tanvi Vyas wrote:
>> Hey,
>>
>> I went through and observed the Mixed Content behavior or IE (since I 
>> hadn't before) and have documented it here, along with Chrome's, 
>> Firefox 14's, and Opera's behavior.  Please see this link for a table 
>> with the details:
>>
>> https://www.evernote.com/shard/s200/sh/d057ce69-bf51-483a-9b13-8186a8f5fcef/f0bb8712965da0c8b21578146c6c0ff8
(Continue reading)

Permalink | Reply |

Gmane