W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: ISSUE-38: Discuss no-mixed-content further as a 1.1 experimental directive

From: Dan Veditz <dveditz@mozilla.com>
Date: Sat, 03 Nov 2012 01:14:21 +0100
Message-ID: <509461DD.3070409@mozilla.com>
To: Ian Melven <imelven@mozilla.com>
CC: Web Application Security Working Group <public-webappsec@w3.org>
On 11/2/12 7:30 PM, Ian Melven wrote:
> is this mostly a shortcut for specifying 'https:' for all source directives ?

Sort of. The main difference would be that no-mixed-content would 
inherit into framed content. Specifying 'https:' can ensure an insecure 
framed document wouldn't get loaded but it cannot prevent the frame from 
itself including http: content.

Alternatives might be to specify this instead as part of the <iframe 
sandbox> attribute.

We might also decide that it's dangerous to allow a possibly malicious 
parent document to block selected content in child frames, although that 
ship has already sailed somewhat with <iframe sandbox> in the first place.

-Dan Veditz
Received on Saturday, 3 November 2012 00:14:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 3 November 2012 00:14:51 GMT