Re: Strict mixed content checking (was Re: MIX: Exiting last call?) from Brian Smith on 2014-12-16 (public-webappsec@w3.org from December 2014)

From: Brian Smith <brian@briansmith.org>
Date: Tue, 16 Dec 2014 12:35:00 -0800
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, David Walp <David.Walp@microsoft.com>, Michael Cooper <cooper@w3.org>
Message-ID: <CAFewVt6EFQgLQAhX=4_nWyhkyPxTtP4EPBqqr8ckTE1xXm9vsw@mail.gmail.com>

On Mon, Dec 15, 2014 at 10:39 PM, Mike West <mkwst@google.com> wrote:
> Hrm. I don't think we can do this by default; if we could, we wouldn't be
> making a distinction between blockable and optionally-blockable at all, but
> it seems like there's general agreement that we're not there yet.
>
> How do you see strict-mode-by-default playing out?

I mean, do not block optionally-blockable content within the main
document, but block it by default in all frames. That + "default-src
https wss" would be equivalent to your suggested
strict-mixed-content-checking directive.

Cheers,
Brian

Received on Tuesday, 16 December 2014 20:35:27 UTC