Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with "CSP: block-all-mixed-content": Deprecated without explanation or suggested replacement. #9889

Closed
collinanderson opened this issue Oct 18, 2021 · 6 comments · Fixed by #10068
Closed

Issue with "CSP: block-all-mixed-content": Deprecated without explanation or suggested replacement. #9889

collinanderson opened this issue Oct 18, 2021 · 6 comments · Fixed by #10068

Comments

@collinanderson
Copy link
Contributor

MDN URL: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content

What information was incorrect, unhelpful, or incomplete?

block-all-mixed-content is marked as deprecated, however, there's no explication as to why it's deprecated and no suggestion of a replacement.

What did you expect to see?

I expected to either see a suggested replacement, or at least an explication of why block-all-mixed-content should not be used in the future.

MDN Content page report details
@hamishwillee
Copy link
Collaborator

This was removed because it is obsolete. There is no replacement - it is simply not needed. From the spec: https://w3c.github.io/webappsec-mixed-content/#obsolescences :

An earlier version of this specification defined the block-all-mixed-content CSP directive. It is now obsolete, because all mixed content is now blocked if it can’t be autoupgraded.

I am hesitant to add a note because MDN has no policy on what you do about reasons and alternatives (and yes, it has come up a number of times). I have added discussion in https://github.com/mdn/content/discussions/5549#discussioncomment-1499176

@hamishwillee
Copy link
Collaborator

PS, if you even want to find out the reason, the best way is usually to do a git blame on the associated key in the https://github.com/mdn/browser-compat-data repository (which provides the compatibility information). That is usually the first place that gets updated and almost always contains a clear reason.

@collinanderson
Copy link
Contributor Author

Interesting. I personally think the word "Deprecated" is fine, but yeah I feel like ideally when something gets marked as deprecated the MDN, some sort of explanation should get documented on MDN. Sounds like it's a bigger issue.

@hamishwillee hamishwillee mentioned this issue Oct 25, 2021
Merged
@hamishwillee
Copy link
Collaborator

Deprecated is fine for me too, but it gets misinterpreted and overloaded. My bigger problem is the same as you - I want to know what I should use instead and I want to be sure it is really deprecated and not applied by accident (for which a reason is the best solution).

@hamishwillee
Copy link
Collaborator

Anyway, decided to add a reason. Does not harm.

@collinanderson
Copy link
Contributor Author

Thanks!

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 25, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

CSP: block-all-mixed-content - add reason hamishwillee/content
2 participants
@collinanderson @hamishwillee