W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Strict mixed content checking (was Re: MIX: Exiting last call?)

From: Brian Smith <brian@briansmith.org>
Date: Mon, 15 Dec 2014 22:07:07 -0800
Message-ID: <CAFewVt7w=hAaDbG4t=xx-ygZVK1VA2pmZ+Sj_aV9Z0_VGHaAog@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Michael Cooper <cooper@w3.org>, David Walp <David.Walp@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Dec 15, 2014 at 7:18 AM, Mike West <mkwst@google.com> wrote:
> I took a pass at a strawman in
> https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode.
>
> WDYT?

Like I said in the earlier thread, I think there is a good chance we
can just make the strict mode the default and only behavior. We should
try to do that first, before we make CSP or the DOM more complicated.
I understand there is a general compatibility concern about maybe
potentially breaking too many websites, but I doubt it will be too
bad. If there are particular cases you know about and are concerned
about, that make you feel it is unrealistic to make this the default
behavior, it would be great to have them noted.

Cheers,
Brian
Received on Tuesday, 16 December 2014 06:07:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC