CR.html

<!doctype html><html lang="en">
 <head>
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
  <title>Mixed Content</title>
  <link href="default.css" rel="stylesheet" type="text/css">
  <link href="https://www.w3.org/StyleSheets/TR/W3C-CR" rel="stylesheet" type="text/css">
  <meta content="Bikeshed 1.0.0" name="generator">
<style>
        .dfn-panel {
            display: inline-block;
            position: absolute;
            z-index: 35;
            height: auto;
            width: -webkit-fit-content;
            max-width: 300px;
            max-height: 500px;
            overflow: auto;
            padding: 0.5em 0.75em;
            font: small Helvetica Neue, sans-serif, Droid Sans Fallback;
            background: #DDDDDD;
            color: black;
            border: outset 0.2em;
        }
        .dfn-panel:not(.on) { display: none; }
        .dfn-panel * { margin: 0; padding: 0; text-indent: 0; }
        .dfn-panel > b { display: block; }
        .dfn-panel a { color: black; }
        .dfn-panel a:not(:hover) { text-decoration: none !important; border-bottom: none !important; }
        .dfn-panel > b + b { margin-top: 0.25em; }
        .dfn-panel > span { display: list-item; list-style: inside; }
        .dfn-panel.activated {
            display: inline-block;
            position: fixed;
            left: .5em;
            bottom: .5em;
            margin: 0 auto;
            max-width: calc(100vw - 1.5em - .4em - .5em);
            max-height: 30vh;
        }

        .dfn-paneled { cursor: pointer; }
        </style>
 <body class="h-entry">
  <div class="head">
   <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
   <h1 class="p-name no-ref" id="title">Mixed Content</h1>
   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">W3C Candidate Recommendation, <time class="dt-updated" datetime="2016-08-02">2 August 2016</time></span></h2>
   <div data-fill-with="spec-metadata">
    <dl>
     <dt>This version:
     <dd><a class="u-url" href="https://www.w3.org/TR/2016/CR-mixed-content-20160802/">https://www.w3.org/TR/2016/CR-mixed-content-20160802/</a>
     <dt>Latest version:
     <dd><a href="https://www.w3.org/TR/mixed-content/">https://www.w3.org/TR/mixed-content/</a>
     <dt>Editor's Draft:
     <dd><a href="https://w3c.github.io/webappsec-mixed-content/">https://w3c.github.io/webappsec-mixed-content/</a>
     <dt>Previous Versions:
     <dd><a href="https://www.w3.org/TR/2015/CR-mixed-content-20151008/" rel="previous">https://www.w3.org/TR/2015/CR-mixed-content-20151008/</a>
     <dt>Version History:
     <dd><a href="https://github.com/w3c/webappsec-mixed-content/commits/master/index.src.html">https://github.com/w3c/webappsec-mixed-content/commits/master/index.src.html</a>
     <dt>Feedback:
     <dd><span><a href="mailto:public-webappsec@w3.org?subject=%5Bmixed-content%5D%20YOUR%20TOPIC%20HERE">public-webappsec@w3.org</a> with subject line “<kbd>[mixed-content] <i data-lt="">… message topic …</i></kbd>” (<a href="http://lists.w3.org/Archives/Public/public-webappsec/" rel="discussion">archives</a>)</span>
     <dt class="editor">Editor:
     <dd class="editor p-author h-card vcard" data-editor-id="56384"><a class="p-name fn u-email email" href="mailto:mkwst@google.com">Mike West</a> (<span class="p-org org">Google Inc.</span>)
     <dt>Participate:
     <dd><span><a href="https://github.com/w3c/webappsec-mixed-content/issues/new">File an issue</a> (<a href="https://github.com/w3c/webappsec-mixed-content/issues">open issues</a>)</span>
    </dl>
   </div>
   <div data-fill-with="warning"></div>
   <p class="copyright" data-fill-with="copyright"><a href="https://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2016 <a href="https://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup> (<a href="http://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="http://www.ercim.eu/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="http://www.keio.ac.jp/">Keio</a>, <a href="http://ev.buaa.edu.cn/">Beihang</a>). W3C <a href="https://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="https://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="https://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply. </p>
   <hr title="Separator for header">
  </div>
  <h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2>
  <div class="p-summary" data-fill-with="abstract">
   <p>This specification describes how a user agent should handle fetching of

content over unencrypted or unauthenticated connections in the context of an
encrypted and authenticated document.</p>
  </div>
  <h2 class="no-num no-toc no-ref heading settled" id="status"><span class="content">Status of this document</span></h2>
  <div data-fill-with="status">
   <p> <em>This section describes the status of this document at the time of
  its publication. Other documents may supersede this document. A list of
  current W3C publications and the latest revision of this technical report
  can be found in the <a href="https://www.w3.org/TR/">W3C technical reports
  index at https://www.w3.org/TR/.</a></em> </p>
   <p> This document was published by the <a href="https://www.w3.org/2011/webappsec/">Web Application Security Working Group</a> as a Candidate Recommendation. This document is intended to become a W3C Recommendation.
  This document will remain a Candidate Recommendation at least until <time class="status-deadline" datetime="2016-09-20">20 September 2016</time> in order
  to ensure the opportunity for wide review. </p>
   <p> The (<a href="http://lists.w3.org/Archives/Public/public-webappsec/">archived</a>) public mailing list <a href="mailto:public-webappsec@w3.org?Subject=%5Bmixed-content%5D%20PUT%20SUBJECT%20HERE">public-webappsec@w3.org</a> (see <a href="https://www.w3.org/Mail/Request">instructions</a>)
	is preferred for discussion of this specification.
	When sending e-mail,
	please put the text “mixed-content” in the subject,
	preferably like this:
	“[mixed-content] <em>…summary of comment…</em>” </p>
   <p> Publication as a Candidate Recommendation does not imply endorsement by the W3C
  Membership. This is a draft document and may be updated, replaced or
  obsoleted by other documents at any time. It is inappropriate to cite this
  document as other than work in progress. </p>
   <p> The entrance criteria for this document to enter the Proposed Recommendation stage
  is to have a minimum of two independent and interoperable user agents that
  implement all the features of this specification, which will be determined by
  passing the user agent tests defined in the test suite developed by the Working
  Group. The Working Group will prepare an implementation report to track progress. </p>
   <p> This document was produced by a group operating under
	the <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 W3C Patent Policy</a>.
	W3C maintains a <a href="https://www.w3.org/2004/01/pp-impl/49309/status" rel="disclosure">public list of any patent disclosures</a> made in connection with the deliverables of the group;
	that page also includes instructions for disclosing a patent.
	An individual who has actual knowledge of a patent which the individual believes contains <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential Claim(s)</a> must disclose the information in accordance with <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section 6 of the W3C Patent Policy</a>. </p>
   <p> This document is governed by the <a href="https://www.w3.org/2015/Process-20150901/" id="w3c_process_revision">1 September 2015 W3C Process Document</a>. </p>
   <p></p>
  </div>
  <div data-fill-with="at-risk">
   <p>The following features are at-risk, and may be dropped during the CR period: </p>
   <ul>
    <li>The <a data-link-type="dfn" href="#passthrough-request">passthrough request</a> concept, and the related carveout in the blocking algorithms.
   </ul>
   <p>“At-risk” is a W3C Process term-of-art, and does not necessarily imply that the feature is in danger of being dropped or delayed. It means that the WG believes the feature may have difficulty being interoperably implemented in a timely manner, and marking it as such allows the WG to drop the feature if necessary when transitioning to the Proposed Rec stage, without having to publish a new Candidate Rec without the feature first.</p>
  </div>
  <nav data-fill-with="table-of-contents" id="toc">
   <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
   <ol class="toc" role="directory">
    <li><a href="#intro"><span class="secno">1</span> <span class="content">Introduction</span></a>
    <li><a href="#terms"><span class="secno">2</span> <span class="content">Key Concepts and Terminology</span></a>
    <li>
     <a href="#categories"><span class="secno">3</span> <span class="content">Content Categories</span></a>
     <ol class="toc">
      <li><a href="#category-optionally-blockable"><span class="secno">3.1</span> <span class="content">Optionally-blockable Content</span></a>
      <li><a href="#category-blockable"><span class="secno">3.2</span> <span class="content">Blockable Content</span></a>
     </ol>
    <li>
     <a href="#strict-checking"><span class="secno">4</span> <span class="content">Strict Mixed Content Checking</span></a>
     <ol class="toc">
      <li><a href="#strict-effects"><span class="secno">4.1</span> <span class="content">Effects</span></a>
      <li><a href="#strict-opt-in"><span class="secno">4.2</span> <span class="content">Opting-in</span></a>
      <li><a href="#strict-nesting"><span class="secno">4.3</span> <span class="content">Inheriting an opt-in</span></a>
     </ol>
    <li>
     <a href="#algorithms"><span class="secno">5</span> <span class="content">Insecure Content in Secure Contexts</span></a>
     <ol class="toc">
      <li><a href="#categorize-settings-object"><span class="secno">5.1</span> <span class="content"> Does <var>settings</var> prohibit mixed security contexts? </span></a>
      <li><a href="#is-passthrough"><span class="secno">5.2</span> <span class="content"> Is <var>request</var> a passthrough request? </span></a>
      <li><a href="#should-block-fetch"><span class="secno">5.3</span> <span class="content"> Should fetching <var>request</var> be blocked as mixed content? </span></a>
      <li><a href="#should-block-response"><span class="secno">5.4</span> <span class="content"> Should <var>response</var> to <var>request</var> be blocked as mixed
      content? </span></a>
     </ol>
    <li><a href="#websockets-integration"><span class="secno">6</span> <span class="content">Modifications to WebSockets</span></a>
    <li>
     <a href="#security-considerations"><span class="secno">7</span> <span class="content">Security and Privacy Considerations</span></a>
     <ol class="toc">
      <li><a href="#limitations"><span class="secno">7.1</span> <span class="content">Limitations</span></a>
      <li><a href="#requirements-forms"><span class="secno">7.2</span> <span class="content">Form Submission</span></a>
      <li><a href="#requirements-ux"><span class="secno">7.3</span> <span class="content">UI Requirements</span></a>
      <li><a href="#requirements-user-controls"><span class="secno">7.4</span> <span class="content">User Controls</span></a>
      <li><a href="#service-workers"><span class="secno">7.5</span> <span class="content">Service Workers</span></a>
      <li><a href="#further-action"><span class="secno">7.6</span> <span class="content">Further Action</span></a>
     </ol>
    <li><a href="#iana-considerations"><span class="secno">8</span> <span class="content">IANA Considerations</span></a>
    <li><a href="#acknowledgements"><span class="secno">9</span> <span class="content">Acknowledgements</span></a>
    <li>
     <a href="#conformance"><span class="secno"></span> <span class="content">Conformance</span></a>
     <ol class="toc">
      <li><a href="#conventions"><span class="secno"></span> <span class="content">Document conventions</span></a>
      <li><a href="#conformant-algorithms"><span class="secno"></span> <span class="content">Conformant Algorithms</span></a>
     </ol>
    <li>
     <a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
     <ol class="toc">
      <li><a href="#index-defined-here"><span class="secno"></span> <span class="content">Terms defined by this specification</span></a>
      <li><a href="#index-defined-elsewhere"><span class="secno"></span> <span class="content">Terms defined by reference</span></a>
     </ol>
    <li>
     <a href="#references"><span class="secno"></span> <span class="content">References</span></a>
     <ol class="toc">
      <li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
      <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
     </ol>
    <li><a href="#issues-index"><span class="secno"></span> <span class="content">Issues Index</span></a>
   </ol>
  </nav>
  <main>
   <section>
    <h2 class="heading settled" data-level="1" id="intro"><span class="secno">1. </span><span class="content">Introduction</span><a class="self-link" href="#intro"></a></h2>
    <p><em>This section is not normative.</em></p>
    <p>When a user successfully loads a resource from example.com over a secure
  channel (HTTPS, for example), the user agent is able to make three assertions
  critical to the user’s security and privacy:</p>
    <ul>
     <li> The user is communicating with a server that is allowed to claim to be <code>example.com</code>, and not one of the many, many servers through
      which her request has hopped. The connection can be <strong>authenticated</strong>. 
     <li> The user’s communications with <code>example.com</code> cannot be
      trivially eavesdropped upon by middlemen, because the requests she makes
      and the responses she receives are <strong>encrypted</strong>. 
     <li> The user’s communications with <code>example.com</code> cannot be
      trivially modified by middlemen, the encryption and authentication
      provide a guarantee of <strong>data integrity</strong>. 
    </ul>
    <p>Together, these assertions give the user some assurance that <code>example.com</code> is the only entity that can read and respond to her
  requests (caveat: without shocking amounts of work) and that the bits she’s
  received are indeed those that <code>example.com</code> actually sent.</p>
    <p>The strength of these assertions is substantially weakened, however, when
  the encrypted and authenticated resource requests subresources (scripts,
  images, etc) over an insecure channel. Those resource requests result in a
  resource whose status is mixed, as insecure requests are wide open for
  man-in-the-middle attacks. This scenario is unfortunately quite common.</p>
    <p>This specification details how a user agent can mitigate these risks to
  security and privacy by limiting a resource’s ability to inadvertently
  communicate in the clear.</p>
    <p class="note" role="note">Note: Nothing described in this document is really new; everything covered
  here has appeared in one or more user agents over the years: Internet
  Explorer led the way, alerting users to mixed content since <a href="https://twitter.com/ericlaw/status/469813922908758016">around</a> version 4.</p>
   </section>
   <section>
    <h2 class="heading settled" data-level="2" id="terms"><span class="secno">2. </span><span class="content">Key Concepts and Terminology</span><a class="self-link" href="#terms"></a></h2>
    <dl>
     <dt> <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-local-lt="mixed" data-lt="mixed content" id="mixed-content">mixed content<span class="dfn-panel" data-deco=""><b><a href="#mixed-content">#mixed-content</a></b><b>Referenced in:</b><span><a href="#ref-for-mixed-content-1">3. Content Categories</a> <a href="#ref-for-mixed-content-2">(2)</a></span><span><a href="#ref-for-mixed-content-3">3.1. Optionally-blockable Content</a></span><span><a href="#ref-for-mixed-content-4">5.3. 
      Should fetching request be blocked as mixed content? </a></span><span><a href="#ref-for-mixed-content-5">5.4. 
      Should response to request be blocked as mixed
      content? </a></span><span><a href="#ref-for-mixed-content-6">7.3. UI Requirements</a> <a href="#ref-for-mixed-content-7">(2)</a></span><span><a href="#ref-for-mixed-content-8">7.4. User Controls</a></span><span><a href="#ref-for-mixed-content-9">7.6. Further Action</a></span></span></dfn> 
     <dd>
       A <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> is <strong>mixed content</strong> if its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a> is not <a data-link-type="dfn" href="#a-priori-authenticated-url" id="ref-for-a-priori-authenticated-url-1"><i lang="la">a priori</i> authenticated</a>, <strong>and</strong> the context responsible for
      loading it requires prohibits mixed security contexts (see <a href="#categorize-settings-object">§5.1 Does settings prohibit mixed security contexts?</a> for a normative definition of the latter). 
      <p>A <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> is <strong>mixed content</strong> if it is an <a data-link-type="dfn" href="#unauthenticated-response" id="ref-for-unauthenticated-response-1">unauthenticated response</a>, <strong>and</strong> the context
      responsible for loading it requires prohibits mixed security contexts.</p>
      <div class="example" id="example-0665cf9f">
       <a class="self-link" href="#example-0665cf9f"></a> Inside a context that restricts mixed content
        (<code>https://secure.example.com/</code>, for example): 
       <ol>
        <li data-md="">
         <p>A request for the script <code>http://example.com/script.js</code> is <strong>mixed content</strong>. As script <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">requests</a> are <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-1">blockable</a>, the user agent will return a network error rather
  than loading the resource.</p>
        <li data-md="">
         <p>A request for the image <code>http://example.com/image.png</code> is <strong>mixed content</strong>. As image <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">requests</a> are <a data-link-type="dfn" href="#optionally-blockable" id="ref-for-optionally-blockable-1">optionally-blockable</a>, the user agent might load the image, in
  which case the image resource itself would be <strong>mixed
  content</strong>.</p>
       </ol>
      </div>
      <p>If mixed content is loaded into a context that restricts mixed content
      (as in #2 above), that context is considered a <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6797#section-12.4">mixed security
      context</a> (as defined in <a data-link-type="biblio" href="#biblio-rfc6797">[RFC6797]</a>).</p>
      <p class="note" role="note">Note: "Mixed content" was originally defined in <a href="https://www.w3.org/TR/wsc-ui/#securepage">section 5.3</a> of <a data-link-type="biblio" href="#biblio-wsc-ui">[WSC-UI]</a>. This document updates that initial definition.</p>
      <p class="note" role="note">Note: <a data-link-type="biblio" href="#biblio-xml">[XML]</a> also defines an unrelated <a href="https://www.w3.org/TR/2008/REC-xml-20081126/#sec-mixed-content">"mixed content"</a>.
      concept. This is potentially confusing, but given the term’s near
      ubiquitious usage in a security context across user agents for more than
      a decade, the practical risk of confusion seems low.</p>
     <dt> <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-local-lt="a priori authenticated" data-lt="a priori authenticated URL" id="a-priori-authenticated-url"> <i lang="la">a priori</i> authenticated URL <span class="dfn-panel" data-deco=""><b><a href="#a-priori-authenticated-url">#a-priori-authenticated-url</a></b><b>Referenced in:</b><span><a href="#ref-for-a-priori-authenticated-url-1">2. Key Concepts and Terminology</a> <a href="#ref-for-a-priori-authenticated-url-2">(2)</a></span><span><a href="#ref-for-a-priori-authenticated-url-3">5. Insecure Content in Secure Contexts</a></span><span><a href="#ref-for-a-priori-authenticated-url-4">5.3. 
      Should fetching request be blocked as mixed content? </a></span><span><a href="#ref-for-a-priori-authenticated-url-5">7.2. Form Submission</a></span></span></dfn> 
     <dd>
       We know <i lang="la">a priori</i> that a request to a particular URL
      (<var>url</var>) will be delivered in a way that mitigates the risks of
      interception and modifications if either of the following statements is
      true: 
      <ol>
       <li data-md="">
        <p>The algorithm defined in <span spec-section="#is-url-trustworthy"></span> returns "<code>Potentially Trustworthy</code>" when executed upon <var>url</var> <span>[SECURE-CONTEXTS]</span>.</p>
       <li data-md="">
        <p><var>url</var>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a> is "<code>data</code>".</p>
        <p class="note" role="note">Note: We special case <code>data</code> URLs here, as we don’t consider them
  particularly trustworthy, but we also don’t wish to block them as
  mixed content, as they never hit the network.</p>
      </ol>
     <dt> <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-local-lt="unauthenticated" data-lt="unauthenticated response" id="unauthenticated-response"> unauthenticated response <span class="dfn-panel" data-deco=""><b><a href="#unauthenticated-response">#unauthenticated-response</a></b><b>Referenced in:</b><span><a href="#ref-for-unauthenticated-response-1">2. Key Concepts and Terminology</a></span><span><a href="#ref-for-unauthenticated-response-2">5. Insecure Content in Secure Contexts</a> <a href="#ref-for-unauthenticated-response-3">(2)</a></span><span><a href="#ref-for-unauthenticated-response-4">5.4. 
      Should response to request be blocked as mixed
      content? </a> <a href="#ref-for-unauthenticated-response-5">(2)</a></span></span></dfn> 
     <dd>
       We know <i lang="la">a posteriori</i> that a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>) is unauthenticated if both of the following statements
      are true: 
      <ol>
       <li data-md="">
        <p><var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url">url</a> is <a data-link-type="dfn" href="#a-priori-authenticated-url" id="ref-for-a-priori-authenticated-url-2"><i lang="la">a
  priori</i> authenticated</a>.</p>
       <li data-md="">
        <p>If <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url">url</a>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a> is "<code>https</code>" or "<code>wss</code>", <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-https-state">HTTPS
  state</a> is "<code>modern</code>".</p>
      </ol>
     <dt><dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-lt="embedding document" id="embedding-document">embedding document<span class="dfn-panel" data-deco=""><b><a href="#embedding-document">#embedding-document</a></b><b>Referenced in:</b><span><a href="#ref-for-embedding-document-1">4.3. Inheriting an opt-in</a></span><span><a href="#ref-for-embedding-document-2">5.1. 
      Does settings prohibit mixed security contexts? </a> <a href="#ref-for-embedding-document-3">(2)</a> <a href="#ref-for-embedding-document-4">(3)</a></span></span></dfn>
     <dd> Given a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> <var>A</var>, the <strong>embedding
      document</strong> of <var>A</var> is the <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#through-which-new-document-is-nested">through which</a> <var>A</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#browsing-context">browsing
      context</a> is nested <a data-link-type="biblio" href="#biblio-html51">[HTML51]</a>. 
    </dl>
   </section>
   <section>
    <h2 class="heading settled" data-level="3" id="categories"><span class="secno">3. </span><span class="content">Content Categories</span><a class="self-link" href="#categories"></a></h2>
    <p>In a perfect world, each user agent would be required to block all <a data-link-type="dfn" href="#mixed-content" id="ref-for-mixed-content-1">mixed
  content</a> without exception. Unfortunately, that is impractical on today’s
  Internet; a user agent needs to be more nuanced in its restrictions to avoid
  degrading the experience on a substantial number of websites.</p>
    <p>With that in mind, we here split mixed content into two categories: <a href="#category-optionally-blockable">§3.1 Optionally-blockable Content</a> and <a href="#category-blockable">§3.2 Blockable Content</a>.</p>
    <p class="note" role="note">Note: Future versions of this specification will update this categorization
  with the intent of moving towards a world where all <a data-link-type="dfn" href="#mixed-content" id="ref-for-mixed-content-2">mixed</a> content is
  blocked; that is the end goal, but this is the best we can do for now.</p>
    <section>
     <h3 class="heading settled" data-level="3.1" id="category-optionally-blockable"><span class="secno">3.1. </span><span class="content">Optionally-blockable Content</span><a class="self-link" href="#category-optionally-blockable"></a></h3>
     <p>A resource or <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> is <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="optionally-blockable" data-noexport="" id="optionally-blockable">optionally-blockable<span class="dfn-panel" data-deco=""><b><a href="#optionally-blockable">#optionally-blockable</a></b><b>Referenced in:</b><span><a href="#ref-for-optionally-blockable-1">2. Key Concepts and Terminology</a></span><span><a href="#ref-for-optionally-blockable-2">3.2. Blockable Content</a></span><span><a href="#ref-for-optionally-blockable-3">4. Strict Mixed Content Checking</a></span><span><a href="#ref-for-optionally-blockable-4">4.1. Effects</a></span><span><a href="#ref-for-optionally-blockable-5">5.2. 
      Is request a passthrough request? </a></span><span><a href="#ref-for-optionally-blockable-6">5.3. 
      Should fetching request be blocked as mixed content? </a></span><span><a href="#ref-for-optionally-blockable-7">5.4. 
      Should response to request be blocked as mixed
      content? </a></span><span><a href="#ref-for-optionally-blockable-8">7.3. UI Requirements</a></span><span><a href="#ref-for-optionally-blockable-9">7.4. User Controls</a></span><span><a href="#ref-for-optionally-blockable-10">7.5. Service Workers</a> <a href="#ref-for-optionally-blockable-11">(2)</a></span><span><a href="#ref-for-optionally-blockable-12">7.6. Further Action</a> <a href="#ref-for-optionally-blockable-13">(2)</a></span></span></dfn> when the risk of allowing its usage as <a data-link-type="dfn" href="#mixed-content" id="ref-for-mixed-content-3">mixed content</a> is outweighed by
    the risk of breaking significant portions of the web. This could be because
    mixed usage of the resource type is sufficiently high, and because the
    resource is low-risk in and of itself. The fact that these resource types
    are optionally-blockable does not mean that they are <em>safe</em>, simply
    that they’re less catastrophically dangerous than other resource types. For
    example, images and icons are often the central UI elements in an
    application’s interface. If an attacker reversed the "Delete email" and
    "Reply" icons, there would be real impact to users.</p>
     <p>This category of content includes:</p>
     <ul>
      <li>
        Images loaded via <code><a data-link-type="element" href="https://www.w3.org/TR/html51/semantics-embedded-content.html#the-img-element">img</a></code> or CSS (<a class="property" data-link-type="propdesc" href="https://www.w3.org/TR/css3-background/#background-image">background-image</a>, <a class="property" data-link-type="propdesc" href="https://www.w3.org/TR/css3-background/#border-image">border-image</a>, etc) 
       <p class="note" role="note">Note: This includes SVG documents loaded as images, as they are banned from
        executing script or loading subresources. It does <em>not</em> include
        images loaded via <code><a data-link-type="element" href="https://www.w3.org/TR/html51/semantics-embedded-content.html#the-picture-element">picture</a></code>.</p>
      <li> Video loaded via <code><a data-link-type="element" href="https://www.w3.org/TR/html51/semantics-embedded-content.html#the-video-element">video</a></code> and <code><a data-link-type="element" href="https://www.w3.org/TR/html51/semantics-embedded-content.html#the-source-element">source</a></code> 
      <li> Audio loaded via <code><a data-link-type="element" href="https://www.w3.org/TR/html51/semantics-embedded-content.html#the-audio-element">audio</a></code> and <code><a data-link-type="element" href="https://www.w3.org/TR/html51/semantics-embedded-content.html#the-source-element">source</a></code> 
     </ul>
     <p class="note" role="note">Note: We further limit this category in <a href="#should-block-fetch">§5.3 Should fetching request be blocked as mixed content?</a> by
    force-failing any CORS-enabled request. This means that mixed content images
    loaded via <code>&lt;img crossorigin ...></code> will be blocked. This is a good example
    of the general principle that content falls into this category <em>only</em> when it is too widely used to be blocked outright. The Working
    Group intends to carve out more blockable subsets as time goes on.</p>
    </section>
    <section>
     <h3 class="heading settled" data-level="3.2" id="category-blockable"><span class="secno">3.2. </span><span class="content">Blockable Content</span><a class="self-link" href="#category-blockable"></a></h3>
     <p>Any resource or <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> that isn’t <a data-link-type="dfn" href="#optionally-blockable" id="ref-for-optionally-blockable-2">optionally-blockable</a> is <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="blockable" data-noexport="" id="blockable">blockable<span class="dfn-panel" data-deco=""><b><a href="#blockable">#blockable</a></b><b>Referenced in:</b><span><a href="#ref-for-blockable-1">2. Key Concepts and Terminology</a></span><span><a href="#ref-for-blockable-2">4. Strict Mixed Content Checking</a></span><span><a href="#ref-for-blockable-3">4.1. Effects</a> <a href="#ref-for-blockable-4">(2)</a></span><span><a href="#ref-for-blockable-5">5.2. 
      Is request a passthrough request? </a></span><span><a href="#ref-for-blockable-6">5.3. 
      Should fetching request be blocked as mixed content? </a></span><span><a href="#ref-for-blockable-7">5.4. 
      Should response to request be blocked as mixed
      content? </a> <a href="#ref-for-blockable-8">(2)</a></span><span><a href="#ref-for-blockable-9">7.2. Form Submission</a></span><span><a href="#ref-for-blockable-10">7.3. UI Requirements</a></span><span><a href="#ref-for-blockable-11">7.4. User Controls</a> <a href="#ref-for-blockable-12">(2)</a></span><span><a href="#ref-for-blockable-13">7.5. Service Workers</a> <a href="#ref-for-blockable-14">(2)</a></span><span><a href="#ref-for-blockable-15">7.6. Further Action</a> <a href="#ref-for-blockable-16">(2)</a></span></span></dfn>. Typical examples of this kind of content include
    scripts, <a data-link-type="dfn" href="https://www.w3.org/TR/html51/infrastructure.html#plugin">plugin</a> data, data requested via <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/XMLHttpRequest/#interface-xmlhttprequest">XMLHttpRequest</a></code>, and so
    on.</p>
     <p class="note" role="note">Note: <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#navigation-request">Navigation requests</a> might target <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context">top-level browsing
    contexts</a>; these are not considered mixed content. See <a href="#should-block-fetch">§5.3 Should fetching request be blocked as mixed content?</a> for details.</p>
     <p class="note" role="note">Note: Note that requests made on behalf of a plugin are blockable. We
    recognize, however, that user agents aren’t always in a position to mediate
    these requests. NPAPI plugins, for instance, often have direct network
    access, and can generally bypass the user agent entirely. We recommend that
    plugin vendors implement mixed content checking themselves to mitigate the
    risks outlined in this document.</p>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="4" id="strict-checking"><span class="secno">4. </span><span class="content">Strict Mixed Content Checking</span><a class="self-link" href="#strict-checking"></a></h2>
    <p>In order to give authors assurance that mixed content will never degrade the
  security UI presented to their users (as described in <a href="#requirements-ux">§7.3 UI Requirements</a>),
  authors may choose to enable a stricter variant of mixed content checking
  which will both block <a data-link-type="dfn" href="#optionally-blockable" id="ref-for-optionally-blockable-3">optionally-blockable</a> and <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-2">blockable</a> mixed
  content, and suppress the user override options discussed in <a href="#requirements-user-controls">§7.4 User Controls</a>.</p>
    <p>To this end, <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> objects and <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#browsing-context">browsing contexts</a> have a <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="strict mixed content checking flag" data-noexport="" id="strict-mixed-content-checking-flag">strict mixed content checking flag<span class="dfn-panel" data-deco=""><b><a href="#strict-mixed-content-checking-flag">#strict-mixed-content-checking-flag</a></b><b>Referenced in:</b><span><a href="#ref-for-strict-mixed-content-checking-flag-1">4.1. Effects</a></span><span><a href="#ref-for-strict-mixed-content-checking-flag-2">4.2. Opting-in</a></span><span><a href="#ref-for-strict-mixed-content-checking-flag-3">4.3. Inheriting an opt-in</a> <a href="#ref-for-strict-mixed-content-checking-flag-4">(2)</a> <a href="#ref-for-strict-mixed-content-checking-flag-5">(3)</a> <a href="#ref-for-strict-mixed-content-checking-flag-6">(4)</a> <a href="#ref-for-strict-mixed-content-checking-flag-7">(5)</a></span><span><a href="#ref-for-strict-mixed-content-checking-flag-8">5.3. 
      Should fetching request be blocked as mixed content? </a></span><span><a href="#ref-for-strict-mixed-content-checking-flag-9">5.4. 
      Should response to request be blocked as mixed
      content? </a></span></span></dfn> which is set to <code>false</code> unless otherwise specified. This flag is checked in both <a href="#should-block-fetch">§5.3 Should fetching request be blocked as mixed content?</a> and <a href="#should-block-response">§5.4 Should response to request be blocked as mixed
      content?</a> to determine whether
  the <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> is in <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="strict mode" data-noexport="" id="strict-mode">strict mode<span class="dfn-panel" data-deco=""><b><a href="#strict-mode">#strict-mode</a></b><b>Referenced in:</b><span><a href="#ref-for-strict-mode-1">7.6. Further Action</a></span></span></dfn>.</p>
    <div class="example" id="example-18c2d3f6">
     <a class="self-link" href="#example-18c2d3f6"></a> A <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> may opt itself into strict mode by either delivering a <code>Content-Security-Policy</code> HTTP header, like: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#block-all-mixed-content" id="ref-for-block-all-mixed-content-1">block-all-mixed-content</a>
</pre>
     <p>or by embedding the policy in a <a data-link-type="element" href="https://www.w3.org/TR/html51/document-metadata.html#the-meta-element">meta</a> element, like:</p>
<pre>&lt;meta http-equiv="Content-Security-Policy"
      content="<a data-link-type="dfn" href="#block-all-mixed-content" id="ref-for-block-all-mixed-content-2">block-all-mixed-content</a>">
</pre>
    </div>
    <p class="note" role="note">Note: Strict mixed content checking is inherited by embedded content; if
  a page opts into strict mode, framed pages will be prevented from loading
  mixed content, as described in <a href="#strict-nesting">§4.3 Inheriting an opt-in</a>.</p>
    <h3 class="heading settled" data-level="4.1" id="strict-effects"><span class="secno">4.1. </span><span class="content">Effects</span><a class="self-link" href="#strict-effects"></a></h3>
    <p>If a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <a data-link-type="dfn" href="#strict-mixed-content-checking-flag" id="ref-for-strict-mixed-content-checking-flag-1">strict mixed content checking flag</a> is set to <code>true</code>, the user agent MUST:</p>
    <ol>
     <li> treat <a data-link-type="dfn" href="#optionally-blockable" id="ref-for-optionally-blockable-4">optionally-blockable</a> mixed content as though it were <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-3">blockable</a>. 
     <li>
       NOT provide users with a mechanism for forcing <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-4">blockable</a> mixed content to load. 
      <p class="note" role="note">Note: This requirement overrides the suggestion in <a href="#requirements-user-controls">§7.4 User Controls</a>.</p>
     <li>
       NOT provide any user-facing indication that mixed content is present. 
      <p class="note" role="note">Note: This requirement overrides the suggestion in <a href="#requirements-ux">§7.3 UI Requirements</a>,
      which is safe to do since the combination of the first and second
      requirements above ensure that mixed content will never load in this
      page’s context.</p>
      <p class="note" role="note">Note: This requirement does not include developer-facing indicators such
      as console messages.</p>
     <li> ensure that these requirements are applied to any <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> in a <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#nested-browsing-contexts">nested browsing context</a>, as described in <a href="#strict-nesting">§4.3 Inheriting an opt-in</a>. 
    </ol>
    <h3 class="heading settled" data-level="4.2" id="strict-opt-in"><span class="secno">4.2. </span><span class="content">Opting-in</span><a class="self-link" href="#strict-opt-in"></a></h3>
    <p>Authors may opt a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> into strict mixed content checking via a <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="block-all-mixed-content" data-noexport="" id="block-all-mixed-content">block-all-mixed-content<span class="dfn-panel" data-deco=""><b><a href="#block-all-mixed-content">#block-all-mixed-content</a></b><b>Referenced in:</b><span><a href="#ref-for-block-all-mixed-content-1">4. Strict Mixed Content Checking</a> <a href="#ref-for-block-all-mixed-content-2">(2)</a></span><span><a href="#ref-for-block-all-mixed-content-3">5.3. 
      Should fetching request be blocked as mixed content? </a></span><span><a href="#ref-for-block-all-mixed-content-4">8. IANA Considerations</a></span></span></dfn> Content Security Policy directive <a data-link-type="biblio" href="#biblio-csp3">[CSP3]</a>, defined via the following ABNF grammar.</p>
<pre>directive-name  = "block-all-mixed-content"
directive-value = ""
</pre>
    <p>When <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#enforced">enforcing</a> the <code>block-all-mixed-content</code> directive,
  set the protected resource’s <a data-link-type="dfn" href="#strict-mixed-content-checking-flag" id="ref-for-strict-mixed-content-checking-flag-2">strict mixed content checking flag</a> to <code>true</code>.</p>
    <p>This directive will trigger violation reports for mixed content on a page.
  Details are found in <a href="#should-block-fetch">§5.3 Should fetching request be blocked as mixed content?</a>.</p>
    <p class="note" role="note">Note: A similar effect may be achieved on a more granular level by setting
  individual directives. For example <code>img-src https:</code> would prevent
  insecure images from loading.</p>
    <h3 class="heading settled" data-level="4.3" id="strict-nesting"><span class="secno">4.3. </span><span class="content">Inheriting an opt-in</span><a class="self-link" href="#strict-nesting"></a></h3>
    <p>If a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <a data-link-type="dfn" href="#strict-mixed-content-checking-flag" id="ref-for-strict-mixed-content-checking-flag-3">strict mixed content checking flag</a> is set, the user
  agent MUST ensure that all <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#nested-browsing-contexts">nested browsing contexts</a> inherit the setting
  in the following ways:</p>
    <ol>
     <li> When a <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#nested-browsing-contexts">nested browsing context</a> <var>context</var> is created, set
      its <a data-link-type="dfn" href="#strict-mixed-content-checking-flag" id="ref-for-strict-mixed-content-checking-flag-4">strict mixed content checking flag</a> to <code>true</code> if <var>context</var>’s <a data-link-type="dfn" href="#embedding-document" id="ref-for-embedding-document-1">embedding document</a>’s <a data-link-type="dfn" href="#strict-mixed-content-checking-flag" id="ref-for-strict-mixed-content-checking-flag-5">strict mixed content
      checking flag</a> is set to <code>true</code>. 
     <li> When <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#initializing-a-new-document-object">initializing a new <code>Document</code> object</a>, set its <a data-link-type="dfn" href="#strict-mixed-content-checking-flag" id="ref-for-strict-mixed-content-checking-flag-6">strict
      mixed content checking flag</a> to <code>true</code> if its <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#browsing-context">browsing
      context</a>’s <a data-link-type="dfn" href="#strict-mixed-content-checking-flag" id="ref-for-strict-mixed-content-checking-flag-7">strict mixed content checking flag</a> is <code>true</code>. 
    </ol>
   </section>
   <section>
    <h2 class="heading settled" data-level="5" id="algorithms"><span class="secno">5. </span><span class="content">Insecure Content in Secure Contexts</span><a class="self-link" href="#algorithms"></a></h2>
    <p>At a high level, the following algorithms allow user agents to determine
  whether particular requests should succeed, or should result in network
  errors.</p>
    <p>Fetch calls the algorithm defined in <a href="#should-block-fetch">§5.3 Should fetching request be blocked as mixed content?</a> at the top of
  the fetching algorithm in order to block network traffic to <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">URL</a>s which are not <a data-link-type="dfn" href="#a-priori-authenticated-url" id="ref-for-a-priori-authenticated-url-3"><i lang="la">a priori</i> authenticated</a> <a data-link-type="biblio" href="#biblio-fetch">[FETCH]</a>. Hooking into Fetch here ensures that we catch
  not only the initial request, but all redirects as well.</p>
    <p>Further, Fetch calls the algorithm defined in <a href="#should-block-response">§5.4 Should response to request be blocked as mixed
      content?</a> at the bottom of the fetching algorithm in order to block <a data-link-type="dfn" href="#unauthenticated-response" id="ref-for-unauthenticated-response-2">unauthenticated
  responses</a>. This hook is necessary to detect resources modified or
  synthesized by a ServiceWorker, as well as to determine whether a
  response is <a data-link-type="dfn" href="#unauthenticated-response" id="ref-for-unauthenticated-response-3">unauthenticated</a> once the TLS-handshake has finished. See
  steps 4.1 and 4.2 of the algorithm defined in <a href="#should-block-response">§5.4 Should response to request be blocked as mixed
      content?</a> for
  detail.</p>
    <p>The algorithm defined in <a href="#categorize-settings-object">§5.1 Does settings prohibit mixed security contexts?</a> is used by both <a href="#should-block-fetch">§5.3 Should fetching request be blocked as mixed content?</a> and <a href="#should-block-response">§5.4 Should response to request be blocked as mixed
      content?</a>, as well as <a href="#websockets-integration">§6 Modifications to WebSockets</a> in order to determine whether an insecure request
  ought to be blocked.</p>
    <section>
     <h3 class="heading settled" data-level="5.1" id="categorize-settings-object"><span class="secno">5.1. </span><span class="content"> Does <var>settings</var> prohibit mixed security contexts? </span><a class="self-link" href="#categorize-settings-object"></a></h3>
     <p>Both documents and workers have <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#settings-object">environment settings objects</a> which
    may be examined according to the following algorithm in order to determine
    whether they restrict mixed content. This algorithm returns "<code>Prohibits Mixed Security Contexts</code>" or "<code>Does Not Prohibit Mixed Security Contexts</code>",
    as appropriate.</p>
     <p>Given an <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#settings-object">environment settings object</a> (<var>settings</var>):</p>
     <ol>
      <li data-md="">
       <p>If <var>settings</var>’ <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-https-state">HTTPS state</a> is not "<code>none</code>", then return
  "<code>Prohibits Mixed Security Contexts</code>".</p>
      <li data-md="">
       <p>If <var>settings</var> has a <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#responsible-document">responsible document</a> <var>document</var>, then:</p>
       <ol>
        <li data-md="">
         <p>While <var>document</var> has an <a data-link-type="dfn" href="#embedding-document" id="ref-for-embedding-document-2">embedding document</a>:</p>
         <ol>
          <li data-md="">
           <p>Set <var>document</var> to <var>document</var>’s <a data-link-type="dfn" href="#embedding-document" id="ref-for-embedding-document-3">embedding document</a>.</p>
          <li data-md="">
           <p>Let <var>embedder settings</var> be <var>document</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#global-object">global object</a>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#relevant-settings-object">relevant settings object</a>.</p>
          <li data-md="">
           <p>If <var>embedder settings</var>’ <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-https-state">HTTPS state</a> is not "<code>None</code>",
  then return "<code>Prohibits Mixed Security Contexts</code>".</p>
         </ol>
       </ol>
      <li data-md="">
       <p>Return "<code>Does Not Restrict Mixed Security Contexts</code>".</p>
     </ol>
     <div class="note" role="note">
       If a document has an <a data-link-type="dfn" href="#embedding-document" id="ref-for-embedding-document-4">embedding document</a>, a user agent needs to
      check not only the document itself, but also the <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context">top-level browsing
      context</a> in which the document is nested, as that is the context
      which controls the user’s expectations regarding the security status of
      the resource she’s loaded. For example: 
      <div class="example" id="example-94c619b8"><a class="self-link" href="#example-94c619b8"></a> <code>http://a.com</code> loads <code>http://evil.com</code>. The
        insecure request will be allowed, as <code>a.com</code> was not loaded
        over a secure connection. </div>
      <div class="example" id="example-501baa03"><a class="self-link" href="#example-501baa03"></a> <code>https://a.com</code> loads <code>http://evil.com</code>. The
        insecure request will be blocked, as <code>a.com</code> was loaded over
        a secure connection. </div>
      <div class="example" id="example-ae11902f"><a class="self-link" href="#example-ae11902f"></a> <code>http://a.com</code> frames <code>https://b.com</code>, which
        loads <code>http://evil.com</code>. In this case, the insecure request
        to <code>evil.com</code> will be blocked, as <code>b.com</code> was
        loaded over a secure connection, even though <code>a.com</code> was not. </div>
      <div class="example" id="example-88d42d9f"><a class="self-link" href="#example-88d42d9f"></a> <code>https://a.com</code> frames a <code>data:</code> URL, which loads <code>http://evil.com</code>. In this case, the insecure request to <code>evil.com</code> will be blocked, as <code>a.com</code> was loaded
        over a secure connection, even though the framed <code>data:</code> URL
        would not block mixed content if loaded in a top-level context. </div>
     </div>
    </section>
    <section>
     <h3 class="heading settled" data-level="5.2" id="is-passthrough"><span class="secno">5.2. </span><span class="content"> Is <var>request</var> a passthrough request? </span><a class="self-link" href="#is-passthrough"></a></h3>
     <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="passthrough request" data-noexport="" id="passthrough-request">passthrough request<span class="dfn-panel" data-deco=""><b><a href="#passthrough-request">#passthrough-request</a></b><b>Referenced in:</b><span><a href="#ref-for-passthrough-request-1">5.3. 
      Should fetching request be blocked as mixed content? </a></span><span><a href="#ref-for-passthrough-request-2">5.4. 
      Should response to request be blocked as mixed
      content? </a></span></span></dfn> is a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>)
    which is created in a <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#browsing-context">browsing context</a> (e.g. via an <code><a data-link-type="element" href="https://www.w3.org/TR/html51/semantics-embedded-content.html#the-img-element">img</a></code> tag in a
    document), but serviced by a Service Worker (e.g. by calling <code>fetch(e.request)</code> from within an <code>onfetch</code> event
    handler). As described in <a href="#service-workers">§7.5 Service Workers</a>, we special-case these kinds
    of requests in order to allow web developers to layer service workers on top
    of an existing site which relies on requesting <a data-link-type="dfn" href="#optionally-blockable" id="ref-for-optionally-blockable-5">optionally-blockable</a> mixed content.</p>
     <p>More formally, <var>request</var> is a passthrough request if the following
    conditions hold <a data-link-type="biblio" href="#biblio-fetch">[FETCH]</a>:</p>
     <ol>
      <li>
        <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a> is <code>fetch</code> 
       <p class="note" role="note">Note: When a request is copied (as in the <code>fetch(e.response)</code> example above), the original <code>context</code> is lost. Here, we
        ensure that we’re dealing with such a request, but we implicitly rely on <a href="#should-block-fetch">§5.3 Should fetching request be blocked as mixed content?</a> preventing <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-5">blockable</a> requests from
        entering a Service Worker in the first place.</p>
      <li>
        <var>request</var>’s <code>window</code> is an <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#settings-object">environment settings
        object</a> (and, therefore, <strong>not</strong> <code>no-window</code>) 
       <p class="note" role="note">Note: We rely on the <code>window</code> property being properly set by <a data-link-type="biblio" href="#biblio-fetch">[FETCH]</a> to the <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#settings-object">environment settings object</a> responsible for the
        request in order to ensure that we can render some sort of warning to
        the user (as described in <a href="#requirements-ux">§7.3 UI Requirements</a>).</p>
      <li>
        <var>request</var>’s <code>client</code>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#global-object">global object</a> is a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/service-workers/#service-worker-global-scope">ServiceWorkerGlobalScope</a></code> object. 
       <p class="note" role="note">Note: We rely on the <code>client</code> property to reflect the origin
        of the request. Importantly, <var>request</var> is only a passthrough
        request if it originated inside a Service Worker.</p>
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="5.3" id="should-block-fetch"><span class="secno">5.3. </span><span class="content"> Should fetching <var>request</var> be blocked as mixed content? </span><a class="self-link" href="#should-block-fetch"></a></h3>
     <p class="note" role="note">Note: The Fetch specification hooks into this algorithm to determine whether
    a request should be entirely blocked (e.g. because the request is for <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-6">blockable</a> content, and we can <em>assume</em> that it won’t be
    loaded over a secure connection).</p>
     <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">Request</a> <var>request</var>, a user agent determines
    whether the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">Request</a> <var>request</var> should proceed or not via the
    following algorithm:</p>
     <ol>
      <li>
        Return <strong>allowed</strong> if one or more of the following
        conditions are met: 
       <ol>
        <li> <a href="#categorize-settings-object">§5.1 Does settings prohibit mixed security contexts?</a> returns "<code>Does Not Restrict Mixed Security Contexts</code>" when applied to <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>. 
        <li> <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a> is <a data-link-type="dfn" href="#a-priori-authenticated-url" id="ref-for-a-priori-authenticated-url-4"><i lang="la">a priori</i> authenticated</a>. 
        <li> The user agent has been instructed to allow <a data-link-type="dfn" href="#mixed-content" id="ref-for-mixed-content-4">mixed content</a>, as
            described in <a href="#requirements-user-controls">§7.4 User Controls</a>). 
        <li>
          <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is
            "<code>document</code>", and <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context">target browsing
            context</a> has no <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#parent-browsing-context">parent browsing context</a>. 
         <p class="note" role="note">Note: We exclude top-level navigations from mixed content checks,
            but user agents MAY choose to enforce mixed content checks on
            insecure form submissions (see <a href="#further-action">§7.6 Further Action</a>).</p>
       </ol>
      <li>
        For each <var>policy</var> in <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/dom.html#document-csp-list">CSP list</a>: 
       <ol>
        <li data-md="">
         <p>If <var>policy</var>’s <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#policy-directive-set">directive set</a> contains a <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#directives">directive</a> whose <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#directive-name">name</a> is
  "<a data-link-type="dfn" href="#block-all-mixed-content" id="ref-for-block-all-mixed-content-3"><code>block-all-mixed-content</code></a>":</p>
         <ol>
          <li data-md="">
           <p>Let <var>violation</var> be the result of executing the algorithm defined
  in <span spec-section="#create-violation-for-global"></span> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#global-object">global object</a>, <var>policy</var>,
  and "<code>block-all-mixed-content</code>".</p>
          <li data-md="">
           <p>Set <var>violation</var>’s <a data-link-type="dfn" href="https://w3c.github.io/webappsec-csp/#violation-resource">resource</a> to <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a>.</p>
          <li data-md="">
           <p>Execute the algorithm defined in <span spec-section="#report-violation"></span> on <var>violation</var>.</p>
         </ol>
       </ol>
      <li>
        Return <strong>blocked</strong> if one or more of the following
        conditions are met: 
       <ol>
        <li> The user agent is configured to block <a data-link-type="dfn" href="#optionally-blockable" id="ref-for-optionally-blockable-6">optionally-blockable</a> mixed content, as described in <a href="#requirements-user-controls">§7.4 User Controls</a>. 
        <li> <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>’s <a data-link-type="dfn" href="#strict-mixed-content-checking-flag" id="ref-for-strict-mixed-content-checking-flag-8">strict mixed content
            checking flag</a> is <code>true</code>. 
        <li> <var>request</var>’s <code>mode</code> is <code>CORS</code> or <code>CORS-with-forced-preflight</code>. 
       </ol>
      <li>
        Return <strong>allowed</strong> if one or more of the following
        conditions are met: 
       <ol>
        <li> <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a> is "<code>fetch</code>" and <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is "<code>subresource</code>", and <var>request</var> is a <a data-link-type="dfn" href="#passthrough-request" id="ref-for-passthrough-request-1">passthrough request</a>. 
        <li> <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>image</code>", and <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a> is not "<code>imageset</code>". 
        <li> <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>video</code>". 
        <li> <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>audio</code>". 
       </ol>
      <li> Return <strong>blocked</strong>. 
     </ol>
     <p class="note" role="note">Note: We special-case <code>fetch</code> to allow it as optionally-blockable
    in the event that a Service Worker is making a <code>no-cors</code> request
    in response to a Fetch event generated from a Document. In that case, the
    request’s <code>client</code> property will be an <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#settings-object">environment settings
    object</a> whose global object is a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/browsers.html#window">Window</a></code> object (the Service Worker’s
    request’s <code>client</code>, on the other hand, will be a <code>WorkerGlobalScope</code> object.</p>
    </section>
    <section>
     <h3 class="heading settled" data-level="5.4" id="should-block-response"><span class="secno">5.4. </span><span class="content"> Should <var>response</var> to <var>request</var> be blocked as mixed
      content? </span><a class="self-link" href="#should-block-response"></a></h3>
     <p class="note" role="note">Note: <a href="#should-block-fetch">If a request proceeds</a>, we still
    might want to block the response based on the state of the connection
    that generated the response (e.g. because the request is <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-7">blockable</a>,
    but the connection is <a data-link-type="dfn" href="#unauthenticated-response" id="ref-for-unauthenticated-response-4">unauthenticated</a>), and we also need to ensure
    that a Service Worker doesn’t accidentally return an <a data-link-type="dfn" href="#unauthenticated-response" id="ref-for-unauthenticated-response-5">unauthenticated
    response</a> for a <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-8">blockable</a> request. This algorithm is used to make
    that determination.</p>
     <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> <var>request</var> and <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> <var>response</var>, the user agent determines what response should be
    returned via the following algorithm:</p>
     <ol>
      <li>
        Return <strong>allowed</strong> if one or more of the following
        conditions are met: 
       <ol>
        <li> <a href="#categorize-settings-object">§5.1 Does settings prohibit mixed security contexts?</a> returns <code>Does Not Restrict
            Mixed Content</code> when applied to <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>. 
        <li> <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-https-state">HTTPS state</a> is <code>modern</code>. 
        <li> The user agent has been instructed to allow <a data-link-type="dfn" href="#mixed-content" id="ref-for-mixed-content-5">mixed content</a>, as
            described in <a href="#requirements-user-controls">§7.4 User Controls</a>). 
        <li>
          <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is
            "<code>document</code>", and <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context">target browsing
            context</a> has no <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#parent-browsing-context">parent browsing context</a>. 
         <p class="note" role="note">Note: We exclude top-level navigations from mixed content checks,
            but user agents MAY choose to enforce mixed content checks on
            insecure form submissions (see <a href="#further-action">§7.6 Further Action</a>).</p>
       </ol>
      <li>
        Return <strong>blocked</strong> if one or more of the following
        conditions are met: 
       <ol>
        <li> The user agent is configured to block <a data-link-type="dfn" href="#optionally-blockable" id="ref-for-optionally-blockable-7">optionally-blockable</a> mixed content, as described in <a href="#requirements-user-controls">§7.4 User Controls</a>. 
        <li> <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>’s <a data-link-type="dfn" href="#strict-mixed-content-checking-flag" id="ref-for-strict-mixed-content-checking-flag-9">strict mixed content
            checking flag</a> is <code>true</code>. 
       </ol>
      <li>
        Return <strong>allowed</strong> if <var>response</var> is an <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-filtered-response-opaque">opaque
        filtered response</a> and one or more of the following conditions are
        met: 
       <ol>
        <li> <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a> is "<code>fetch</code>", and <var>request</var> is a <a data-link-type="dfn" href="#passthrough-request" id="ref-for-passthrough-request-2">passthrough request</a>. 
        <li> <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>image</code>", and <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a> is not "<code>imageset</code>". 
        <li> <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>video</code>". 
        <li> <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>audio</code>". 
       </ol>
      <li>Return <strong>blocked</strong>.
     </ol>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="6" id="websockets-integration"><span class="secno">6. </span><span class="content">Modifications to WebSockets</span><a class="self-link" href="#websockets-integration"></a></h2>
    <p>The <a href="https://www.w3.org/TR/websockets/#the-websocket-interface"><code>WebSocket()</code> constructor algorithm</a> <a data-link-type="biblio" href="#biblio-websockets">[WEBSOCKETS]</a> is modified as follows:</p>
    <ul>
     <li> Remove the current step 2. 
    </ul>
    <p class="note" role="note">Note: This suggestion is filed as <a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=28841">bug #28841</a> against <a data-link-type="biblio" href="#biblio-websockets">[WEBSOCKETS]</a>.</p>
    <p>The <a href="http://tools.ietf.org/html/rfc6455#section-4.1">Establish a
  WebSocket Connection algorithm</a> <a data-link-type="biblio" href="#biblio-rfc6455">[RFC6455]</a> is modified as follows:</p>
    <ol>
     <li data-md="">
      <p>After the current step 1, perform the following step:</p>
      <ol>
       <li data-md="">
        <p>If <var>secure</var> is <code>false</code>, and the algorithm in <a href="#categorize-settings-object">§5.1 Does settings prohibit mixed security contexts?</a> returns "<code>Restricts Mixed Security Context</code>" when applied to <var>client</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#global-object">global object</a>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#relevant-settings-object">relevant settings object</a>, then the client MUST <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6455#section-7.1.7">fail the
  WebSocket connection</a> and abort the connection <a data-link-type="biblio" href="#biblio-rfc6455">[RFC6455]</a>.</p>
      </ol>
     <li data-md="">
      <p>After the current step 5, perform the following step:</p>
      <ol start="6">
       <li data-md="">
        <p>If <var>secure</var> is <code>true</code>, and the TLS handshake performed in step 5
  results in an HTTPS state of "<code>deprecated</code>", then the client MUST <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6455#section-7.1.7">fail the WebSocket connection</a> and abort the connection <a data-link-type="biblio" href="#biblio-rfc6455">[RFC6455]</a>.</p>
        <p class="issue" id="issue-3280c348"><a class="self-link" href="#issue-3280c348"></a> This is super hand-wavey.</p>
      </ol>
    </ol>
    <p class="note" role="note">Note: Filed as <a href="http://www.rfc-editor.org/errata_search.php?rfc=6455&amp;eid=4398">errata #4398</a> against <a data-link-type="biblio" href="#biblio-rfc6455">[RFC6455]</a>.</p>
    <p>These changes together mean that we’ll no longer throw a <code>SecurityError</code> exception directly upon constructing a WebSocket object, but will instead rely
  upon blocking the connection and triggering the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6455#section-7.1.7">fail the WebSocket
  connection</a> algorithm, which developers can catch by hooking a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/websockets/#the-websocket-interface">WebSocket</a></code> object’s <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/websockets/#handler-websocket-onerror">onerror</a></code> handler. This is consistent with
  the behavior of <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/XMLHttpRequest/#interface-xmlhttprequest">XMLHttpRequest</a></code>, <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/eventsource/#the-eventsource-interface">EventSource</a></code>, and <code class="idl"><a data-link-type="idl" href="https://fetch.spec.whatwg.org/#dom-global-fetch">Fetch</a></code>.</p>
   </section>
   <section>
    <h2 class="heading settled" data-level="7" id="security-considerations"><span class="secno">7. </span><span class="content">Security and Privacy Considerations</span><a class="self-link" href="#security-considerations"></a></h2>
    <section>
     <h3 class="heading settled" data-level="7.1" id="limitations"><span class="secno">7.1. </span><span class="content">Limitations</span><a class="self-link" href="#limitations"></a></h3>
     <p>Blocking mixed content allows us to ensure that the guarantees discussed
    in <a href="#intro">§1 Introduction</a> are upheld. Note, however, that those guarantees <em>only</em> protect developers and users against active network attackers who would
    otherwise be able to replace critical bits of code or content on the wire
    as it flows past. They <em>do not</em> protect against a compromised server
    that itself is coerced into sending corrupted resources.</p>
     <p>Mechanisms such as Subresource Integrity <a data-link-type="biblio" href="#biblio-sri">[SRI]</a> are designed to deal with
    this kind of threat, and we recommend that web developers make use of them
    whenever possible.</p>
    </section>
    <section>
     <h3 class="heading settled" data-level="7.2" id="requirements-forms"><span class="secno">7.2. </span><span class="content">Form Submission</span><a class="self-link" href="#requirements-forms"></a></h3>
     <p>If <a href="#categorize-settings-object">§5.1 Does settings prohibit mixed security contexts?</a> returns <code>Restricts Mixed
    Content</code> when applied to a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <a data-link-type="dfn" href="https://www.w3.org/TR/html51/webappapis.html#relevant-settings-object">relevant settings
    object</a>, then a user agent MAY choose to warn users of the presence of
    one or more <code><a data-link-type="element" href="https://www.w3.org/TR/html51/sec-forms.html#the-form-element">form</a></code> elements with <code><a data-link-type="element-sub" href="https://www.w3.org/TR/html51/sec-forms.html#element-attrdef-form-action">action</a></code> attributes whose values
    are not <a data-link-type="dfn" href="#a-priori-authenticated-url" id="ref-for-a-priori-authenticated-url-5"><i lang="la">a priori</i> authenticated URLs</a>.</p>
     <p class="note" role="note">Note: Chrome, for example, currently gives the same UI treatment to a page
    with an insecure form action as it does for a page that displays an insecure
    image.</p>
     <p>Further, a user agent MAY treat form submissions from such a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> as a <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-9">blockable</a> request, even if the submission occurs in
    the <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context">top-level browsing context</a>.</p>
    </section>
    <section>
     <h3 class="heading settled" data-level="7.3" id="requirements-ux"><span class="secno">7.3. </span><span class="content">UI Requirements</span><a class="self-link" href="#requirements-ux"></a></h3>
     <p>If a user agent would normally indicate to the user that the <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context">top-level browsing context</a> is secure, then:</p>
     <ul>
      <li data-md="">
       <p>When the user agent downgrades a context to a <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6797#section-12.4">mixed security
  context</a> by returning a resource in response to a <a data-link-type="dfn" href="#mixed-content" id="ref-for-mixed-content-6">mixed
  content</a> <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (either because the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> is <a data-link-type="dfn" href="#optionally-blockable" id="ref-for-optionally-blockable-8">optionally-blockable</a>, or because the user agent is configured
  to allow <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-10">blockable</a> <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a>s), the user agent MUST NOT
  provide the user with that same indication.</p>
       <p>The user agent SHOULD instead give an indication that <a data-link-type="dfn" href="#mixed-content" id="ref-for-mixed-content-7">mixed
  content</a> is present.</p>
     </ul>
     <p>If a mixed content indication is present, it MUST be made available
    through accessibility APIs for users of assistive technologies.</p>
     <p class="note" role="note">Note: This requirement holds even in the context of an <a href="https://cabforum.org/about-ev-ssl/">EV status</a> <a data-link-type="biblio" href="#biblio-cab">[CAB]</a>. An EV
    certificate’s indicator does not override the necessity to notify
    users of mixed content violations.</p>
    </section>
    <section>
     <h3 class="heading settled" data-level="7.4" id="requirements-user-controls"><span class="secno">7.4. </span><span class="content">User Controls</span><a class="self-link" href="#requirements-user-controls"></a></h3>
     <p>A user agent MAY offer users the ability to directly decide whether or not
    to treat <strong>all</strong> <a data-link-type="dfn" href="#mixed-content" id="ref-for-mixed-content-8">mixed content</a> as <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-11">blockable</a> (meaning that even <a data-link-type="dfn" href="#optionally-blockable" id="ref-for-optionally-blockable-9">optionally-blockable</a> mixed content would be
    blocked).</p>
     <p class="note" role="note">Note: It is <em>strongly recommended</em> that users take advantage of such
    an option if provided.</p>
     <p>A user agent MAY offer users the ability to override its decision to block <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-12">blockable</a> mixed content on a particular page.</p>
     <p class="note" role="note">Note: Practically, a user agent probably can’t get away with not offering
    such a back door. That said, allowing mixed script is in particular a very
    dangerous option, and each user agent <a href="http://tools.ietf.org/html/rfc6919#section-3">REALLY SHOULD NOT</a> <a data-link-type="biblio" href="#biblio-rfc6919">[RFC6919]</a> present such a choice to users without careful consideration and
    communication of the risk involved.</p>
     <p>Any such controls offered by a user agent MUST also be offered through
    accessibility APIs for users of assistive technologies.</p>
    </section>
    <section>
     <h3 class="heading settled" data-level="7.5" id="service-workers"><span class="secno">7.5. </span><span class="content">Service Workers</span><a class="self-link" href="#service-workers"></a></h3>
     <p>The fact that Service Workers sit inbetween a document and the network means
    that we need to special-case requests made in those contexts. In particular,
    they should be able to cache the results of insecure requests, provided that
    those requests were triggered from a document (which, presumably, ensures
    that they’ll be used in an <a data-link-type="dfn" href="#optionally-blockable" id="ref-for-optionally-blockable-10">optionally-blockable</a> context). Those
    insecure results, however, cannot be exposed to the Service Worker, nor
    should the Service Worker be allowed to launder responses to <a data-link-type="dfn" href="#optionally-blockable" id="ref-for-optionally-blockable-11">optionally-blockable</a> requests into responses to <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-13">blockable</a> requests.</p>
     <p>To that end:</p>
     <ol>
      <li data-md="">
       <p><a href="#should-block-fetch">§5.3 Should fetching request be blocked as mixed content?</a> has some carve-outs for the <code>fetch</code> request <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a>, with the intent of allowing a Service Worker
  to copy a request as part of its response to a Fetch event (e.g. <code>fetch(event.response)</code> should be executable inside the
  event handler.</p>
       <p><code>fetch</code> will continue to be treated as <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-14">blockable</a> when
  executed outside the context of a Fetch event, which of course includes
  document contexts.</p>
      <li data-md="">
       <p><a href="#should-block-response">§5.4 Should response to request be blocked as mixed
      content?</a> verifies that the incoming response has the
  same security characteristics that were allowed for the request. That
  is, a Service Worker will not be able to replace a request for a secure
  script with a cached response for an insecure resource.</p>
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="7.6" id="further-action"><span class="secno">7.6. </span><span class="content">Further Action</span><a class="self-link" href="#further-action"></a></h3>
     <p>A user agent is encouraged to take further action above and beyond the
    requirements this document outlines in order to discourage developers from
    embedding mixed content.</p>
     <p>For instance, a user agent could:</p>
     <ol>
      <li> Interpret the presence of a <code>Strict-Transport-Security</code> header field as forcing all content into the <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-15">blockable</a> category <a data-link-type="biblio" href="#biblio-rfc6797">[RFC6797]</a>, or as a signal to enable <a data-link-type="dfn" href="#strict-mode" id="ref-for-strict-mode-1">strict mode</a> for mixed
        content checking. 
      <li> Modify requests for <a data-link-type="dfn" href="#optionally-blockable" id="ref-for-optionally-blockable-12">optionally-blockable</a> resources which are <a data-link-type="dfn" href="#mixed-content" id="ref-for-mixed-content-9">mixed content</a> in order to reduce the risk to users: cookies
        and other authentication tokens could be stripped from the requests,
        automatic scheme upgrades could be attempted, and so on. 
      <li> Treat <a data-link-type="dfn" href="#optionally-blockable" id="ref-for-optionally-blockable-13">optionally-blockable</a> resources inside <a data-link-type="dfn" href="https://www.w3.org/TR/html51/browsers.html#nested-browsing-contexts">nested browsing
        contexts</a> as <a data-link-type="dfn" href="#blockable" id="ref-for-blockable-16">blockable</a>, to allow sites to embed resources
        without fear of introducing mixed content. 
     </ol>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="8" id="iana-considerations"><span class="secno">8. </span><span class="content">IANA Considerations</span><a class="self-link" href="#iana-considerations"></a></h2>
    <p>The Content Security Policy Directive registry should be updated with the
  following directives and references <a data-link-type="biblio" href="#biblio-rfc7762">[RFC7762]</a>:</p>
    <dl>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#block-all-mixed-content" id="ref-for-block-all-mixed-content-4"><code>block-all-mixed-content</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#strict-opt-in">§4.2 Opting-in</a>)</p>
    </dl>
   </section>
   <section>
    <h2 class="heading settled" data-level="9" id="acknowledgements"><span class="secno">9. </span><span class="content">Acknowledgements</span><a class="self-link" href="#acknowledgements"></a></h2>
    <p>In addition to the wonderful feedback gathered from the WebAppSec WG, the
  Chrome security team was invaluable in preparing this specification. In
  particular, Chris Palmer, Chris Evans, Ryan Sleevi, Michal Zalewski, Ken
  Buchanan, and Tom Sepez gave lots of early feedback. Anne van Kesteren
  explained Fetch and helped define the interface to this specification.
  Brian Smith helped keep the spec focused, trim, and sane.</p>
   </section>
  </main>
  <h2 class="no-ref no-num heading settled" id="conformance"><span class="content">Conformance</span><a class="self-link" href="#conformance"></a></h2>
  <h3 class="no-ref no-num heading settled" id="conventions"><span class="content">Document conventions</span><a class="self-link" href="#conventions"></a></h3>
  <p>Conformance requirements are expressed with a combination of
    descriptive assertions and RFC 2119 terminology. The key words “MUST”,
    “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”,
    “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this
    document are to be interpreted as described in RFC 2119.
    However, for readability, these words do not appear in all uppercase
    letters in this specification. </p>
  <p>All of the text of this specification is normative except sections
    explicitly marked as non-normative, examples, and notes. <a data-link-type="biblio" href="#biblio-rfc2119">[RFC2119]</a></p>
  <p>Examples in this specification are introduced with the words “for example”
    or are set apart from the normative text with <code>class="example"</code>,
    like this: </p>
  <div class="example" id="example-f839f6c8">
   <a class="self-link" href="#example-f839f6c8"></a> 
   <p>This is an example of an informative example.</p>
  </div>
  <p>Informative notes begin with the word “Note” and are set apart from the
    normative text with <code>class="note"</code>, like this: </p>
  <p class="note" role="note">Note, this is an informative note.</p>
  <h3 class="no-ref no-num heading settled" id="conformant-algorithms"><span class="content">Conformant Algorithms</span><a class="self-link" href="#conformant-algorithms"></a></h3>
  <p>Requirements phrased in the imperative as part of algorithms (such as
    "strip any leading space characters" or "return false and abort these
    steps") are to be interpreted with the meaning of the key word ("must",
    "should", "may", etc) used in introducing the algorithm.</p>
  <p>Conformance requirements phrased as algorithms or specific steps can be
    implemented in any manner, so long as the end result is equivalent. In
    particular, the algorithms defined in this specification are intended to
    be easy to understand and are not intended to be performant. Implementers
    are encouraged to optimize.</p>
<script src="https://www.w3.org/scripts/TR/2016/fixup.js"></script>
  <h2 class="no-num no-ref heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2>
  <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="content">Terms defined by this specification</span><a class="self-link" href="#index-defined-here"></a></h3>
  <ul class="index">
   <li><a href="#a-priori-authenticated-url">a priori authenticated</a><span>, in §2</span>
   <li><a href="#a-priori-authenticated-url">a priori authenticated URL</a><span>, in §2</span>
   <li><a href="#blockable">blockable</a><span>, in §3.2</span>
   <li><a href="#block-all-mixed-content">block-all-mixed-content</a><span>, in §4.2</span>
   <li><a href="#embedding-document">embedding document</a><span>, in §2</span>
   <li><a href="#mixed-content">mixed</a><span>, in §2</span>
   <li><a href="#mixed-content">mixed content</a><span>, in §2</span>
   <li><a href="#optionally-blockable">optionally-blockable</a><span>, in §3.1</span>
   <li><a href="#passthrough-request">passthrough request</a><span>, in §5.2</span>
   <li><a href="#strict-mixed-content-checking-flag">strict mixed content checking flag</a><span>, in §4</span>
   <li><a href="#strict-mode">strict mode</a><span>, in §4</span>
   <li><a href="#unauthenticated-response">unauthenticated</a><span>, in §2</span>
   <li><a href="#unauthenticated-response">unauthenticated response</a><span>, in §2</span>
  </ul>
  <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span class="content">Terms defined by reference</span><a class="self-link" href="#index-defined-elsewhere"></a></h3>
  <ul class="index">
   <li>
    <a data-link-type="biblio">[CSP3]</a> defines the following terms:
    <ul>
     <li><a href="https://w3c.github.io/webappsec-csp/#directives">directive</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#policy-directive-set">directive set</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#enforced">enforce</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#directive-name">name</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#violation-resource">resource</a>
    </ul>
   <li>
    <a data-link-type="biblio">[FETCH]</a> defines the following terms:
    <ul>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-response-https-state">https state</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a>
     <li><a href="https://fetch.spec.whatwg.org/#navigation-request">navigation request</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-filtered-response-opaque">opaque filtered response</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request">request</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-response">response</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context">target browsing context</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-type">type</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-url">url</a>
    </ul>
   <li>
    <a data-link-type="biblio">[HTML51]</a> defines the following terms:
    <ul>
     <li><a href="https://www.w3.org/TR/html51/sec-forms.html#element-attrdef-form-action">action</a>
     <li><a href="https://www.w3.org/TR/html51/semantics-embedded-content.html#the-audio-element">audio</a>
     <li><a href="https://www.w3.org/TR/html51/browsers.html#browsing-context">browsing context</a>
     <li><a href="https://www.w3.org/TR/html51/dom.html#document-csp-list">csp list</a>
     <li><a href="https://www.w3.org/TR/html51/webappapis.html#settings-object">environment settings object</a>
     <li><a href="https://www.w3.org/TR/html51/sec-forms.html#the-form-element">form</a>
     <li><a href="https://www.w3.org/TR/html51/webappapis.html#global-object">global object</a>
     <li><a href="https://www.w3.org/TR/html51/semantics-embedded-content.html#the-img-element">img</a>
     <li><a href="https://www.w3.org/TR/html51/browsers.html#initializing-a-new-document-object">initializing a new document object</a>
     <li><a href="https://www.w3.org/TR/html51/document-metadata.html#the-meta-element">meta</a>
     <li><a href="https://www.w3.org/TR/html51/browsers.html#nested-browsing-contexts">nested browsing context</a>
     <li><a href="https://www.w3.org/TR/html51/browsers.html#through-which-new-document-is-nested">nested through</a>
     <li><a href="https://www.w3.org/TR/html51/browsers.html#parent-browsing-context">parent browsing context</a>
     <li><a href="https://www.w3.org/TR/html51/semantics-embedded-content.html#the-picture-element">picture</a>
     <li><a href="https://www.w3.org/TR/html51/infrastructure.html#plugin">plugin</a>
     <li><a href="https://www.w3.org/TR/html51/webappapis.html#relevant-settings-object">relevant settings object</a>
     <li><a href="https://www.w3.org/TR/html51/webappapis.html#responsible-document">responsible document</a>
     <li><a href="https://www.w3.org/TR/html51/semantics-embedded-content.html#the-source-element">source</a>
     <li><a href="https://www.w3.org/TR/html51/browsers.html#top-level-browsing-context">top-level browsing context</a>
     <li><a href="https://www.w3.org/TR/html51/semantics-embedded-content.html#the-video-element">video</a>
    </ul>
   <li>
    <a data-link-type="biblio">[RFC6455]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/rfc6455#section-7.1.7">fail the websocket connection</a>
    </ul>
   <li>
    <a data-link-type="biblio">[css-backgrounds-3]</a> defines the following terms:
    <ul>
     <li><a href="https://www.w3.org/TR/css3-background/#background-image">background-image</a>
     <li><a href="https://www.w3.org/TR/css3-background/#border-image">border-image</a>
    </ul>
   <li>
    <a data-link-type="biblio">[WHATWG-URL]</a> defines the following terms:
    <ul>
     <li><a href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a>
    </ul>
  </ul>
  <h2 class="no-num no-ref heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
  <h3 class="no-num no-ref heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
  <dl>
   <dt id="biblio-csp3">[CSP3]
   <dd>Mike West. <a href="https://w3c.github.io/webappsec-csp/">Content Security Policy Level 3</a>. 26 January 2016. WD. URL: <a href="https://w3c.github.io/webappsec-csp/">https://w3c.github.io/webappsec-csp/</a>
   <dt id="biblio-css-backgrounds-3">[CSS-BACKGROUNDS-3]
   <dd>CSS Backgrounds and Borders Module Level 3 URL: <a href="https://drafts.csswg.org/css-backgrounds-3/">https://drafts.csswg.org/css-backgrounds-3/</a>
   <dt id="biblio-fetch">[FETCH]
   <dd>Anne van Kesteren. <a href="https://fetch.spec.whatwg.org/">Fetch Standard</a>. Living Standard. URL: <a href="https://fetch.spec.whatwg.org/">https://fetch.spec.whatwg.org/</a>
   <dt id="biblio-html51">[HTML51]
   <dd>Steve Faulkner; et al. <a href="https://w3c.github.io/html/">HTML 5.1</a>. 12 April 2016. WD. URL: <a href="https://w3c.github.io/html/">https://w3c.github.io/html/</a>
   <dt id="biblio-rfc2119">[RFC2119]
   <dd>S. Bradner. <a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a>
   <dt id="biblio-rfc6455">[RFC6455]
   <dd>I. Fette; A. Melnikov. <a href="https://tools.ietf.org/html/rfc6455">The WebSocket Protocol</a>. December 2011. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc6455">https://tools.ietf.org/html/rfc6455</a>
   <dt id="biblio-rfc6797">[RFC6797]
   <dd>J. Hodges; C. Jackson; A. Barth. <a href="https://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security (HSTS)</a>. November 2012. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc6797">https://tools.ietf.org/html/rfc6797</a>
   <dt id="biblio-rfc7762">[RFC7762]
   <dd>M. West. <a href="https://tools.ietf.org/html/rfc7762">Initial Assignment for the Content Security Policy Directives Registry</a>. January 2016. Informational. URL: <a href="https://tools.ietf.org/html/rfc7762">https://tools.ietf.org/html/rfc7762</a>
   <dt id="biblio-websockets">[WEBSOCKETS]
   <dd>Ian Hickson. <a href="https://www.w3.org/TR/websockets/">The WebSocket API</a>. 20 September 2012. CR. URL: <a href="https://www.w3.org/TR/websockets/">https://www.w3.org/TR/websockets/</a>
   <dt id="biblio-whatwg-url">[WHATWG-URL]
   <dd>Anne van Kesteren; Sam Ruby. <a href="https://url.spec.whatwg.org/">URL Standard</a>. Living Standard. URL: <a href="https://url.spec.whatwg.org/">https://url.spec.whatwg.org/</a>
  </dl>
  <h3 class="no-num no-ref heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
  <dl>
   <dt id="biblio-cab">[CAB]
   <dd><a href="https://cabforum.org/baseline-requirements-documents/">CA/Browser Forum Baseline Requirements v1.3.7</a>. 8 July, 2016. URL: <a href="https://cabforum.org/baseline-requirements-documents/">https://cabforum.org/baseline-requirements-documents/</a>
   <dt id="biblio-rfc6919">[RFC6919]
   <dd>R. Barnes; S. Kent; E. Rescorla. <a href="https://tools.ietf.org/html/rfc6919">Further Key Words for Use in RFCs to Indicate Requirement Levels</a>. 1 April 2013. Experimental. URL: <a href="https://tools.ietf.org/html/rfc6919">https://tools.ietf.org/html/rfc6919</a>
   <dt id="biblio-sri">[SRI]
   <dd>Devdatta Akhawe; et al. <a href="https://www.w3.org/TR/SRI/">Subresource Integrity</a>. 12 November 2015. CR. URL: <a href="https://www.w3.org/TR/SRI/">https://www.w3.org/TR/SRI/</a>
   <dt id="biblio-wsc-ui">[WSC-UI]
   <dd>Thomas Roessler; Anil Saldhana. <a href="https://www.w3.org/TR/wsc-ui/">Web Security Context: User Interface Guidelines</a>. 12 August 2010. REC. URL: <a href="https://www.w3.org/TR/wsc-ui/">https://www.w3.org/TR/wsc-ui/</a>
   <dt id="biblio-xml">[XML]
   <dd>Tim Bray; et al. <a href="https://www.w3.org/TR/xml">Extensible Markup Language (XML) 1.0 (Fifth Edition)</a>. 26 November 2008. REC. URL: <a href="https://www.w3.org/TR/xml">https://www.w3.org/TR/xml</a>
  </dl>
  <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content">Issues Index</span><a class="self-link" href="#issues-index"></a></h2>
  <div style="counter-reset:issue">
   <div class="issue"> This is super hand-wavey.<a href="#issue-3280c348"> ↵ </a></div>
  </div>
<script>
        document.body.addEventListener("click", function(e) {
            var queryAll = function(sel) { return [].slice.call(document.querySelectorAll(sel)); }
            // Find the dfn element or panel, if any, that was clicked on.
            var el = e.target;
            var target;
            while(el.parentElement) {
                if(el.tagName == "DFN") {
                    target = "dfn";
                    break;
                }
                if(/H\d/.test(el.tagName) && el.getAttribute('data-dfn-type') != null) {
                    target = "dfn";
                    break;
                }
                if(el.classList.contains("dfn-panel")) {
                    target = "dfn-panel";
                    break;
                }
                el = el.parentElement;
            }
            if(target != "dfn-panel") {
                // Turn off any currently "on" or "activated" panels.
                queryAll(".dfn-panel.on, .dfn-panel.activated").forEach(function(el){
                    el.classList.remove("on");
                    el.classList.remove("activated");
                });
            }
            if(target == "dfn") {
                // open the panel
                var dfnPanel = el.querySelector(".dfn-panel");
                if(dfnPanel) {
                    dfnPanel.classList.add("on");
                }
            } else if(target == "dfn-panel") {
                // Switch it to "activated" state, which pins it.
                el.classList.add("activated");
            }

        });
        </script>