W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Strict mixed content checking (was Re: MIX: Exiting last call?)

From: Mike West <mkwst@google.com>
Date: Mon, 15 Dec 2014 16:18:39 +0100
Message-ID: <CAKXHy=ehNJrJ6XEoJBNSL3gujgC0_MU5uJ+WO8EwtvX7fZ+w1Q@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Michael Cooper <cooper@w3.org>, David Walp <David.Walp@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Dec 15, 2014 at 12:10 PM, Mike West <mkwst@google.com> wrote:
>
> 3. Whether to change how currently-optionally-blockable mixed content
>> in iframes is dealt with [4]--in particular, whether to treat all
>> mixed content in iframes as mixed content--hasn't been adequately
>> addressed. There doesn't seem to be sufficient agreement either way,
>> and also we lack sufficient data to make a determination about the
>> feasibility of making a change. My suggestion would be to note the
>> issue as something to be resolved during CR/PR, if that can be done
>> without prejudice against making the change to block it if we get data
>> showing it is feasible.
>>
>
> We ended up in
> http://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0355.html; I
> think it's totally reasonable to add something to frames that would
> silently block all mixed content in any nested browsing context to give the
> parent some assurance regarding the page's security indicator.
>
> I don't think this is something we could add at CR; it's really a new
> feature. It's not clear to me that there's sufficient agreement on what we
> should do here to proceed, but I'll draft some text that we can argue
> about. :)
>

I took a pass at a strawman in
https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode.

WDYT?

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 15 December 2014 15:19:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC