Re: [webappsec] Agenda for MONDAY Teleconference 2014-10-20, 12:00 PDT

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Mon, Oct 20, 2014 at 4:56 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Mon, Oct 20, 2014 at 4:45 PM, Mike West <mkwst@google.com> wrote:
> > * Should we split Mixed Content into a document focusing on "Insecure
> > content (HTTP) in a secure context (HTTPS)", and another focusing on
> > "Intranet content in an extranet context"? Brad(?) suggested this at some
> > point in the past, and the more I think about it, the more it probably
> makes
> > sense. +Brian, who has opinions here, I think.
>
> I would prefer less hooks in Fetch (and personally I would prefer
> Mixed Content and CSP and such all in one document). Perhaps for Fetch
> at some point we can refactor it as a single "security hook" that you
> make CSP, Mixed Content, and whatever else we come up with hook into
> without getting into ordering trouble.
>

Point taken regarding hooks from Fetch. It's not clear to me what the best
way to manage that sort of thing is; do you already have ideas about how
you'd like such a hook to look?

Regarding "all in one document", my initial reaction is "Ugh." I'd prefer
to be writing smaller documents, focused on specific topics. In particular,
the public/private distinction as currently described in MIX seems quite
tacked on (because it was). I think tacking CSP on as well would be hard to
clearly explain.

-mike