On 11/2/12 7:30 PM, Ian Melven wrote: > is this mostly a shortcut for specifying 'https:' for all source directives ? Sort of. The main difference would be that no-mixed-content would inherit into framed content. Specifying 'https:' can ensure an insecure framed document wouldn't get loaded but it cannot prevent the frame from itself including http: content. Alternatives might be to specify this instead as part of the <iframe sandbox> attribute. We might also decide that it's dangerous to allow a possibly malicious parent document to block selected content in child frames, although that ship has already sailed somewhat with <iframe sandbox> in the first place. -Dan VeditzReceived on Saturday, 3 November 2012 00:14:51 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:30 UTC