Some specs on /TR/ are lacking stylesheets

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Some specs on /TR/ are lacking stylesheets

Philippe Wittenbergh-6
Sample URL: https://www.w3.org/TR/css3-sizing/ and https://www.w3.org/TR/css3-selectors/
Browser: Safari 9.1 and 9.x TP

console flags:
[Warning] [blocked] The page at https://www.w3.org/TR/css3-sizing/ was not allowed to run insecure content from http://www.w3.org/StyleSheets/TR/W3C-WD.css. (css3-sizing, line 12)

[Warning] The page at https://www.w3.org/TR/css3-sizing/ was allowed to display insecure content from http://www.w3.org/Icons/w3c_home. (css3-sizing, line 17)

A quick look at the source of the page reveals that the stylesheet is linked with an absolute (non-https) URL
http://www.w3.org/StyleSheets/TR/W3C-WD.css

Firefox otoh is apparently less strict and loads the stylesheet. I haven’t checked what others do.

It is a minor issue – or maybe a blessing in disguise? (the a:hover ‘effect’ on the recent stylesheets is on the negative side of mildly annoying…)

Philippe
--
Philippe Wittenbergh
http://l-c-n.com/






Reply | Threaded
Open this post in threaded view
|

Re: Some specs on /TR/ are lacking stylesheets

L. David Baron
On Sunday 2016-04-10 15:27 +0900, Philippe Wittenbergh wrote:

> Sample URL: https://www.w3.org/TR/css3-sizing/ and https://www.w3.org/TR/css3-selectors/
> Browser: Safari 9.1 and 9.x TP
>
> console flags:
> [Warning] [blocked] The page at https://www.w3.org/TR/css3-sizing/ was not allowed to run insecure content from http://www.w3.org/StyleSheets/TR/W3C-WD.css. (css3-sizing, line 12)
>
> [Warning] The page at https://www.w3.org/TR/css3-sizing/ was allowed to display insecure content from http://www.w3.org/Icons/w3c_home. (css3-sizing, line 17)
>
> A quick look at the source of the page reveals that the stylesheet is linked with an absolute (non-https) URL
> http://www.w3.org/StyleSheets/TR/W3C-WD.css
>
> Firefox otoh is apparently less strict and loads the stylesheet. I haven’t checked what others do.
The issue is not being less strict, but rather supporting
https://www.w3.org/TR/upgrade-insecure-requests/
which is able to auto-convert that link to https *before* the mixed
content check happens.

The best public discussion of this issue that I've been able to find
is the set of slides, in French, at:
https://www.w3.org/Talks/2016/0402-jdll-lyon-jk/
particularly slide 9:
https://www.w3.org/Talks/2016/0402-jdll-lyon-jk/#(9)

www-style probably isn't the best forum for the discussion, though.
Maybe https://lists.w3.org/Archives/Public/spec-prod/ ??  It is
certainly a known issue; I've heard it discussed in in-person
conversations.

-David

--
𝄞   L. David Baron                         http://dbaron.org/   𝄂
𝄢   Mozilla                          https://www.mozilla.org/   𝄂
             Before I built a wall I'd ask to know
             What I was walling in or walling out,
             And to whom I was like to give offense.
               - Robert Frost, Mending Wall (1914)

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Some specs on /TR/ are lacking stylesheets

Philippe Wittenbergh-6

> On Apr 10, 2016, at 15:40, L. David Baron <[hidden email]> wrote:
>
> The issue is not being less strict, but rather supporting
> https://www.w3.org/TR/upgrade-insecure-requests/
> which is able to auto-convert that link to https *before* the mixed
> content check happens.

Ok, thanks for that pointer. I was’t aware of that CSP directive.

> www-style probably isn't the best forum for the discussion, though.

Oh, I don’t want to enter a discussion on the subject. I was just flagging an issue with www-style specs.

fwiw - https://bugs.webkit.org/show_bug.cgi?id=143653 and https://status.modern.ie/upgradeinsecureresourcerequests


Philippe
--
Philippe Wittenbergh
http://l-c-n.com/