W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Strict mixed content checking (was Re: MIX: Exiting last call?)

From: Mike West <mkwst@google.com>
Date: Wed, 17 Dec 2014 09:08:51 +0100
Message-ID: <CAKXHy=dBFA0VjUKFXYwdAB6_Z9WeGgZ-s=NHfgencXQzzggXQA@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: David Walp <David.Walp@microsoft.com>, public-webappsec@w3.org, Michael Cooper <cooper@w3.org>
I think that treating optionally blockable content in frames as blockable
would be a fine thing for vendors to experiment with. In the short term, I
know we would break some internal ad verification tools if we did that in a
way that didn't present UI to users to choose to enable blockable content.
I suspect there are other cases where that's important that I don't know
about.

I'm reluctant to add that kind of restriction to the spec as a requirement,
but I'm happy to throw it in as an example of the kind of experimentation
user agents are totally allowed to do.

Likewise, I'm reluctant to complicate "strict" checking by separating the
concepts of "block everything" and "don't display UI to users to allow
opting out". That complicates the model without much benefit.

-mike
On Dec 16, 2014 9:35 PM, "Brian Smith" <brian@briansmith.org> wrote:

> On Mon, Dec 15, 2014 at 10:39 PM, Mike West <mkwst@google.com> wrote:
> > Hrm. I don't think we can do this by default; if we could, we wouldn't be
> > making a distinction between blockable and optionally-blockable at all,
> but
> > it seems like there's general agreement that we're not there yet.
> >
> > How do you see strict-mode-by-default playing out?
>
> I mean, do not block optionally-blockable content within the main
> document, but block it by default in all frames. That + "default-src
> https wss" would be equivalent to your suggested
> strict-mixed-content-checking directive.
>
> Cheers,
> Brian
>
Received on Wednesday, 17 December 2014 08:09:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC