W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

[MIX]: 'allow-from' header? (Re: "Mixed Content" draft up for review.)

From: Mike West <mkwst@google.com>
Date: Tue, 3 Jun 2014 10:42:52 +0200
Message-ID: <CAKXHy=dAp-HqdkYTuzTVAaFDM0xXP5pbGuD_oLCh1pTaA6hJtQ@mail.gmail.com>
To: Jim Manico <jim.manico@owasp.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jun 2, 2014 at 7:42 PM, Jim Manico <jim.manico@owasp.org> wrote:

> On 6/2/14, 10:35 AM, Daniel Veditz wrote:
>> For that domain. It doesn't mean the author would never want to include
>> other-domain non-SSL content. What are you going to do about the common
>> case of viewing embedded images in secure GMail?
> What about some kind of allow-from header for this case similar to
> X-Frame-Options allow-from?

Hey Jim!

I think this would be a bad idea; the resource being loaded shouldn't have
the ability to override the loader's security policy.

There's more of an argument to be made for allowing the page to opt-out of
mixed content checking. I don't think that's a good idea either, honestly,
as it sincerely weakens the security promises made by the establishment of
a TLS connection in the first place.

Mixed content is bad. I'd suggest that we should be doing our best to
eradicate it entirely rather than leaving footguns around for authors to
play with.

Received on Tuesday, 3 June 2014 08:43:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC