W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Strict mixed content checking (was Re: MIX: Exiting last call?)

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 15 Dec 2014 19:39:20 +0000
Message-ID: <CAEeYn8g372XY54cn+z9XSNviq9HtYrgySWEEQ-UAS5KaZpVV2A@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brian Smith <brian@briansmith.org>, Michael Cooper <cooper@w3.org>, David Walp <David.Walp@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> I guess that would be implied by the iframe sandbox attribute which would
>> be included-by-reference into CSP's sandbox directive.  It just seems ugly
>> that you'd have to set a sandbox and christmas-tree the flags to get this
>> behavior.  It also seems a bit out-of-pattern to add new flags to
>> sandboxing in this way.  All the other flags loosen the sandbox.
> I don't understand your point here. :/

(sorry, slang decoder here:
http://en.wikipedia.org/wiki/Christmas_tree_packet )

If the strict checking for descendants is the only behavior you want, you
have to set sandbox on yourself, then opt-out of everything AND opt-in to
this new flag.

Received on Monday, 15 December 2014 19:39:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC