Re: Strict mixed content checking (was Re: MIX: Exiting last call?) from Mike West on 2014-12-15 (public-webappsec@w3.org from December 2014)

From: Mike West <mkwst@google.com>
Date: Mon, 15 Dec 2014 20:41:52 +0100
To: Brad Hill <hillbrad@gmail.com>
Cc: Brian Smith <brian@briansmith.org>, Michael Cooper <cooper@w3.org>, David Walp <David.Walp@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=d_HQZELe3B6xcn7824j7F0kkPg4nHXoYRNPcPioN9hzQ@mail.gmail.com>

On Mon, Dec 15, 2014 at 8:39 PM, Brad Hill <hillbrad@gmail.com> wrote:
>
>
>
>> I guess that would be implied by the iframe sandbox attribute which would
>>> be included-by-reference into CSP's sandbox directive.  It just seems ugly
>>> that you'd have to set a sandbox and christmas-tree the flags to get this
>>> behavior.  It also seems a bit out-of-pattern to add new flags to
>>> sandboxing in this way.  All the other flags loosen the sandbox.
>>>
>>
>> I don't understand your point here. :/
>>
>
> (sorry, slang decoder here:
> http://en.wikipedia.org/wiki/Christmas_tree_packet )
>
> If the strict checking for descendants is the only behavior you want, you
> have to set sandbox on yourself, then opt-out of everything AND opt-in to
> this new flag.
>

Ah, there's the confusion. This isn't a new sandbox flag for exactly that
reason. It's a new attribute on the iframe element. That is, you'd write
`<iframe strict-mixed-content-checking src="...">` (or whatever we called
it).

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

>

Received on Monday, 15 December 2014 19:42:40 UTC