Re: Strict mixed content checking (was Re: MIX: Exiting last call?) from Mike West on 2014-12-16 (public-webappsec@w3.org from December 2014)

From: Mike West <mkwst@google.com>
Date: Tue, 16 Dec 2014 07:39:35 +0100
To: Brian Smith <brian@briansmith.org>
Cc: public-webappsec@w3.org, David Walp <David.Walp@microsoft.com>, Michael Cooper <cooper@w3.org>
Message-ID: <CAKXHy=eErNP61xdio4QHdb2tn4=2KSALZoiRL8XgffNuBRugew@mail.gmail.com>

Hrm. I don't think we can do this by default; if we could, we wouldn't be
making a distinction between blockable and optionally-blockable at all, but
it seems like there's general agreement that we're not there yet.

How do you see strict-mode-by-default playing out?

-mike
On Dec 16, 2014 7:07 AM, "Brian Smith" <brian@briansmith.org> wrote:

> On Mon, Dec 15, 2014 at 7:18 AM, Mike West <mkwst@google.com> wrote:
> > I took a pass at a strawman in
> > https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode.
> >
> > WDYT?
>
> Like I said in the earlier thread, I think there is a good chance we
> can just make the strict mode the default and only behavior. We should
> try to do that first, before we make CSP or the DOM more complicated.
> I understand there is a general compatibility concern about maybe
> potentially breaking too many websites, but I doubt it will be too
> bad. If there are particular cases you know about and are concerned
> about, that make you feel it is unrealistic to make this the default
> behavior, it would be great to have them noted.
>
> Cheers,
> Brian
>

Received on Tuesday, 16 December 2014 06:40:02 UTC