- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Tue, 01 Feb 2011 09:14:08 -0800
- To: Jochen Eisinger <eisinger@google.com>
- CC: public-web-security@w3.org
On 02/01/2011 04:40 AM, Jochen Eisinger wrote: > Hey, > > I might be overlooking something, but will this proposal allow for > blocking sources based on the protocol used, i.e. to support the use > case of disallowing resources served via http from and https site? Indeed. Both Adam's and Mozilla's proposals optionally allow schemes (and ports) to be whitelisted in the policy. In the use case you mentioned, a policy might look like: default-src https://* or: default-src https://*:443 ; script-src https://my.site:443 Cheers, Brandon
Received on Tuesday, 1 February 2011 17:14:38 UTC