On Mon, Dec 15, 2014 at 8:39 PM, Brad Hill <hillbrad@gmail.com> wrote:
>
>
>
>> I guess that would be implied by the iframe sandbox attribute which would
>>> be included-by-reference into CSP's sandbox directive. It just seems ugly
>>> that you'd have to set a sandbox and christmas-tree the flags to get this
>>> behavior. It also seems a bit out-of-pattern to add new flags to
>>> sandboxing in this way. All the other flags loosen the sandbox.
>>>
>>
>> I don't understand your point here. :/
>>
>
> (sorry, slang decoder here:
> http://en.wikipedia.org/wiki/Christmas_tree_packet )
>
> If the strict checking for descendants is the only behavior you want, you
> have to set sandbox on yourself, then opt-out of everything AND opt-in to
> this new flag.
>
Ah, there's the confusion. This isn't a new sandbox flag for exactly that
reason. It's a new attribute on the iframe element. That is, you'd write
`<iframe strict-mixed-content-checking src="...">` (or whatever we called
it).
-mike
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>