- From: Dan Veditz <dveditz@mozilla.com>
- Date: Sat, 03 Nov 2012 01:14:21 +0100
- To: Ian Melven <imelven@mozilla.com>
- CC: Web Application Security Working Group <public-webappsec@w3.org>
On 11/2/12 7:30 PM, Ian Melven wrote: > is this mostly a shortcut for specifying 'https:' for all source directives ? Sort of. The main difference would be that no-mixed-content would inherit into framed content. Specifying 'https:' can ensure an insecure framed document wouldn't get loaded but it cannot prevent the frame from itself including http: content. Alternatives might be to specify this instead as part of the <iframe sandbox> attribute. We might also decide that it's dangerous to allow a possibly malicious parent document to block selected content in child frames, although that ship has already sailed somewhat with <iframe sandbox> in the first place. -Dan Veditz
Received on Saturday, 3 November 2012 00:14:51 UTC