Re: Strict mixed content checking (was Re: MIX: Exiting last call?)

Aha, yes, my mistake.

So then I more emphatically suggest that we need a resource-level flag.
One of the other unfortunate things ads do is start as a <script> tag and
then dynamically inject an <iframe>.  Preventing any HTTP requests from
happening in descendant contexts seems a reasonable goal. (even if <script>
=> <iframe> is a horrible pattern)

On Mon Dec 15 2014 at 11:42:13 AM Mike West <> wrote:

> On Mon, Dec 15, 2014 at 8:39 PM, Brad Hill <> wrote:
>>> I guess that would be implied by the iframe sandbox attribute which
>>>> would be included-by-reference into CSP's sandbox directive.  It just seems
>>>> ugly that you'd have to set a sandbox and christmas-tree the flags to get
>>>> this behavior.  It also seems a bit out-of-pattern to add new flags to
>>>> sandboxing in this way.  All the other flags loosen the sandbox.
>>> I don't understand your point here. :/
>> (sorry, slang decoder here:
>> )
>> If the strict checking for descendants is the only behavior you want, you
>> have to set sandbox on yourself, then opt-out of everything AND opt-in to
>> this new flag.
> Ah, there's the confusion. This isn't a new sandbox flag for exactly that
> reason. It's a new attribute on the iframe element. That is, you'd write
> `<iframe strict-mixed-content-checking src="...">` (or whatever we called
> it).
> -mike
> --
> Mike West <>, @mikewest
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Monday, 15 December 2014 19:49:34 UTC