W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

RE: ISSUE-38: Discuss no-mixed-content directive

From: Neil Matatall <neilm@twitter.com>
Date: Tue, 5 Feb 2013 11:01:42 -0800
Message-ID: <CAOFLtbiJ5OO89bZYJsaVqVHoyTn+Egw=FbFBEBJjEp4FS0wnoQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I would think of this more as an "hsts"-like feature, but I don't want
to confuse that with the HSTS header itself!

"no-mixed-content": on; works for me

Background:
When I supply hosts without schemes in a directive
And I supply the "no-mixed-content" flag in the CSP directive

Scenario: SSL Requests
Given the request is over SSL
Then all host values should be prepended with https

Scenario: Plaintext Requests
Given the request is not over SSL
Then all host values should be prepended with http in addition to https

This still allows you to hard code https for hosts (i.e. never over plain
ever), but grants flexibility such that you can apply a very
restrictive and concise header with flexibility that doesn't require
scheme-specific headers.

Supply this with preloaded HSTS and cert pinning, your surface for
potentially exposing resources over plaintext is drastically reduced.
Received on Tuesday, 5 February 2013 19:02:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2013 19:02:10 GMT