On Mon, Dec 15, 2014 at 12:10 PM, Mike West <mkwst@google.com> wrote: > > 3. Whether to change how currently-optionally-blockable mixed content >> in iframes is dealt with [4]--in particular, whether to treat all >> mixed content in iframes as mixed content--hasn't been adequately >> addressed. There doesn't seem to be sufficient agreement either way, >> and also we lack sufficient data to make a determination about the >> feasibility of making a change. My suggestion would be to note the >> issue as something to be resolved during CR/PR, if that can be done >> without prejudice against making the change to block it if we get data >> showing it is feasible. >> > > We ended up in > http://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0355.html; I > think it's totally reasonable to add something to frames that would > silently block all mixed content in any nested browsing context to give the > parent some assurance regarding the page's security indicator. > > I don't think this is something we could add at CR; it's really a new > feature. It's not clear to me that there's sufficient agreement on what we > should do here to proceed, but I'll draft some text that we can argue > about. :) > I took a pass at a strawman in https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode. WDYT? -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 15 December 2014 15:19:27 UTC