[MIX]: 'allow-from' header? (Re: "Mixed Content" draft up for review.)

On Mon, Jun 2, 2014 at 7:42 PM, Jim Manico <jim.manico@owasp.org> wrote:

>
> On 6/2/14, 10:35 AM, Daniel Veditz wrote:
>
>> For that domain. It doesn't mean the author would never want to include
>> other-domain non-SSL content. What are you going to do about the common
>> case of viewing embedded images in secure GMail?
>>
> What about some kind of allow-from header for this case similar to
> X-Frame-Options allow-from?


Hey Jim!

I think this would be a bad idea; the resource being loaded shouldn't have
the ability to override the loader's security policy.

There's more of an argument to be made for allowing the page to opt-out of
mixed content checking. I don't think that's a good idea either, honestly,
as it sincerely weakens the security promises made by the establishment of
a TLS connection in the first place.

Mixed content is bad. I'd suggest that we should be doing our best to
eradicate it entirely rather than leaving footguns around for authors to
play with.

-mike

Received on Tuesday, 3 June 2014 08:43:42 UTC