W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Strict mixed content checking (was Re: MIX: Exiting last call?)

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 15 Dec 2014 19:48:59 +0000
Message-ID: <CAEeYn8gHo=9zCMz=v=wJjAEsbKUa7+h218vG3sHDtD41VSLjUg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brian Smith <brian@briansmith.org>, Michael Cooper <cooper@w3.org>, David Walp <David.Walp@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Aha, yes, my mistake.

So then I more emphatically suggest that we need a resource-level flag.
One of the other unfortunate things ads do is start as a <script> tag and
then dynamically inject an <iframe>.  Preventing any HTTP requests from
happening in descendant contexts seems a reasonable goal. (even if <script>
=> <iframe> is a horrible pattern)

On Mon Dec 15 2014 at 11:42:13 AM Mike West <mkwst@google.com> wrote:

> On Mon, Dec 15, 2014 at 8:39 PM, Brad Hill <hillbrad@gmail.com> wrote:
>>
>>
>>
>>> I guess that would be implied by the iframe sandbox attribute which
>>>> would be included-by-reference into CSP's sandbox directive.  It just seems
>>>> ugly that you'd have to set a sandbox and christmas-tree the flags to get
>>>> this behavior.  It also seems a bit out-of-pattern to add new flags to
>>>> sandboxing in this way.  All the other flags loosen the sandbox.
>>>>
>>>
>>> I don't understand your point here. :/
>>>
>>
>> (sorry, slang decoder here:
>> http://en.wikipedia.org/wiki/Christmas_tree_packet )
>>
>> If the strict checking for descendants is the only behavior you want, you
>> have to set sandbox on yourself, then opt-out of everything AND opt-in to
>> this new flag.
>>
>
> Ah, there's the confusion. This isn't a new sandbox flag for exactly that
> reason. It's a new attribute on the iframe element. That is, you'd write
> `<iframe strict-mixed-content-checking src="...">` (or whatever we called
> it).
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
>>
Received on Monday, 15 December 2014 19:49:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC