Tags: https

1208

Sunday, November 17th, 2019

Checked in at Flughafen Berlin Tempelhof. with Jessica

map — Checked in at Flughafen Berlin Tempelhof. with Jessica

map — Checked in at Café Mugrabi. Hummus sabich — with Jessica

Saturday, November 16th, 2019

Checked in at Lutter & Wegner Gendarmenmarkt. Knusprige Ente — with Jessica

map — Checked in at Lutter & Wegner Gendarmenmarkt. Knusprige Ente — with Jessica

Wer hat uns verraten? Metadaten!

Who has betrayed us? Metadata!

Checked in at LIU 成都味道. Szechuan noodles!

map — Checked in at LIU 成都味道. Szechuan noodles!

Thursday, November 14th, 2019

map — Checked in at Festsaal Kreuzberg. Let’s do this! — with Aaron, Marc

Tuesday, November 12th, 2019

CSS for all

There have been some great new CSS properties and values shipping in Firefox recently.

Miriam Suzanne explains the difference between the newer revert value and the older inherit, initial and unset values in a video on the Mozilla Developer channel:

display: revert;

In another video, Jen describes some new properties for styling underlines (on links, for example):

text-decoration-thickness:  0.1em;
text-decoration-color: red;
text-underline-offset: 0.2em;
text-decoration-skip-ink: auto;

Great stuff!

As far as I can tell, all of these properties are available to you regardless of whether you are serving your website over HTTP or over HTTPS. That may seem like an odd observation to make, but I invite you to cast your mind back to January 2018. That’s when the Mozilla Security Blog posted about moving to secure contexts everywhere:

Effective immediately, all new features that are web-exposed are to be restricted to secure contexts. Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR.

(emphasis mine)

Buzz Lightyear says to Woody: Secure contexts …secure contexts everywhere!

Despite that “effective immediately” clause, I haven’t observed any of the new CSS properties added in the past two years to be restricted to HTTPS. I’m glad about that. I wrote about this announcement at the time:

I am in total agreement that we should be encouraging everyone to switch to HTTPS. But requiring HTTPS in order to use CSS? The ends don’t justify the means.

If there were valid security reasons for making HTTPS a requirement, I would be all for enforcing this. But these are two totally separate areas. Enforcing HTTPS by withholding CSS support is no different to enforcing AMP by withholding search placement.

There’s no official word from the Mozilla Security Blog about any change to their two-year old “effective immediately” policy, and the original blog post hasn’t been updated. Maybe we can all just pretend it never happened.