- From: Mike West <mkwst@google.com>
- Date: Tue, 3 Jun 2014 10:42:52 +0200
- To: Jim Manico <jim.manico@owasp.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Tuesday, 3 June 2014 08:43:42 UTC
On Mon, Jun 2, 2014 at 7:42 PM, Jim Manico <jim.manico@owasp.org> wrote: > > On 6/2/14, 10:35 AM, Daniel Veditz wrote: > >> For that domain. It doesn't mean the author would never want to include >> other-domain non-SSL content. What are you going to do about the common >> case of viewing embedded images in secure GMail? >> > What about some kind of allow-from header for this case similar to > X-Frame-Options allow-from? Hey Jim! I think this would be a bad idea; the resource being loaded shouldn't have the ability to override the loader's security policy. There's more of an argument to be made for allowing the page to opt-out of mixed content checking. I don't think that's a good idea either, honestly, as it sincerely weakens the security promises made by the establishment of a TLS connection in the first place. Mixed content is bad. I'd suggest that we should be doing our best to eradicate it entirely rather than leaving footguns around for authors to play with. -mike
Received on Tuesday, 3 June 2014 08:43:42 UTC