W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Strict mixed content checking (was Re: MIX: Exiting last call?)

From: Mike West <mkwst@google.com>
Date: Wed, 17 Dec 2014 10:35:06 +0100
Message-ID: <CAKXHy=c0YnxOUx7gg269jQsU=pavoJC6wuR5YO9mY0L6Y5OFHg@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: David Walp <David.Walp@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Michael Cooper <cooper@w3.org>
On Wed, Dec 17, 2014 at 9:08 AM, Mike West <mkwst@google.com> wrote:
>
> On Dec 16, 2014 9:35 PM, "Brian Smith" <brian@briansmith.org> wrote:
>
>> On Mon, Dec 15, 2014 at 10:39 PM, Mike West <mkwst@google.com> wrote:
>> > Hrm. I don't think we can do this by default; if we could, we wouldn't
>> be
>> > making a distinction between blockable and optionally-blockable at all,
>> but
>> > it seems like there's general agreement that we're not there yet.
>> >
>> > How do you see strict-mode-by-default playing out?
>>
>> I mean, do not block optionally-blockable content within the main
>> document, but block it by default in all frames. That + "default-src
>> https wss" would be equivalent to your suggested
>> strict-mixed-content-checking directive.
>>
>
With the exception that CSP does not inherit to subframes (so you'd still
get the UI offering users the ability to load blockable mixed content), and
has script-related side effects ('unsafe-inline', 'unsafe-eval'), pretty
much yes.

I've added this as a suggested experiment in the "Further Action" section
of the spec:
https://w3c.github.io/webappsec/specs/mixedcontent/#further-action. I hope
that's a satisfactory compromise.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 17 December 2014 09:35:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC