Re: Strict mixed content checking (was Re: MIX: Exiting last call?) from Brad Hill on 2014-12-15 (public-webappsec@w3.org from December 2014)

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 15 Dec 2014 19:30:52 +0000
To: Mike West <mkwst@google.com>
Cc: Brian Smith <brian@briansmith.org>, Michael Cooper <cooper@w3.org>, David Walp <David.Walp@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8jQ+ONGAUej6X3j4aSGY_+H2RT=9ViS6sVL4Jm7pzj0SQ@mail.gmail.com>

>
>
> There is a CSP directive defined in
> https://w3c.github.io/webappsec/specs/mixedcontent/#strict-documents. Is
> that more or less along the lines of what you're looking for?
>
> -mike
>
> Yes, like that, but which cascades to descendant contexts.

I guess that would be implied by the iframe sandbox attribute which would
be included-by-reference into CSP's sandbox directive.  It just seems ugly
that you'd have to set a sandbox and christmas-tree the flags to get this
behavior.  It also seems a bit out-of-pattern to add new flags to
sandboxing in this way.  All the other flags loosen the sandbox.  (this was
probably a poor design choice from a forward evolution standpoint, now that
I think about it, but that ship has sailed)

-Brad

Received on Monday, 15 December 2014 19:31:20 UTC