W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Strict mixed content checking (was Re: MIX: Exiting last call?)

From: Brian Smith <brian@briansmith.org>
Date: Tue, 16 Dec 2014 12:35:00 -0800
Message-ID: <CAFewVt6EFQgLQAhX=4_nWyhkyPxTtP4EPBqqr8ckTE1xXm9vsw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, David Walp <David.Walp@microsoft.com>, Michael Cooper <cooper@w3.org>
On Mon, Dec 15, 2014 at 10:39 PM, Mike West <mkwst@google.com> wrote:
> Hrm. I don't think we can do this by default; if we could, we wouldn't be
> making a distinction between blockable and optionally-blockable at all, but
> it seems like there's general agreement that we're not there yet.
> How do you see strict-mode-by-default playing out?

I mean, do not block optionally-blockable content within the main
document, but block it by default in all frames. That + "default-src
https wss" would be equivalent to your suggested
strict-mixed-content-checking directive.

Received on Tuesday, 16 December 2014 20:35:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC