Aha, yes, my mistake.
So then I more emphatically suggest that we need a resource-level flag.
One of the other unfortunate things ads do is start as a <script> tag and
then dynamically inject an <iframe>. Preventing any HTTP requests from
happening in descendant contexts seems a reasonable goal. (even if <script>
=> <iframe> is a horrible pattern)
On Mon Dec 15 2014 at 11:42:13 AM Mike West <mkwst@google.com> wrote:
> On Mon, Dec 15, 2014 at 8:39 PM, Brad Hill <hillbrad@gmail.com> wrote:
>>
>>
>>
>>> I guess that would be implied by the iframe sandbox attribute which
>>>> would be included-by-reference into CSP's sandbox directive. It just seems
>>>> ugly that you'd have to set a sandbox and christmas-tree the flags to get
>>>> this behavior. It also seems a bit out-of-pattern to add new flags to
>>>> sandboxing in this way. All the other flags loosen the sandbox.
>>>>
>>>
>>> I don't understand your point here. :/
>>>
>>
>> (sorry, slang decoder here:
>> http://en.wikipedia.org/wiki/Christmas_tree_packet )
>>
>> If the strict checking for descendants is the only behavior you want, you
>> have to set sandbox on yourself, then opt-out of everything AND opt-in to
>> this new flag.
>>
>
> Ah, there's the confusion. This isn't a new sandbox flag for exactly that
> reason. It's a new attribute on the iframe element. That is, you'd write
> `<iframe strict-mixed-content-checking src="...">` (or whatever we called
> it).
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
>>