W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2014

Re: CSP and mixed content

From: Mike West <mkwst@google.com>
Date: Wed, 7 May 2014 15:14:36 +0200
Message-ID: <CAKXHy=ebnyvhOpMJbAmyNLnwzd7c33RJQRGiG+fy-tnGgwCRqw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
That makes sense to me. CSP could certainly be used to explain how mixed
content is blocked. If the resource is loaded over a secure channel, we
could apply a base policy of `script-src https:; style-src https:;
object-src https:; connect-src https: wss:` and allow the page to tighten
it from there. Is that what you had in mind?

For this particular use case, it might make sense to define some sort of
keyword for "secure content", as 'https:' doesn't actually reflect the
extent of what user agents might consider securely transported.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Wed, Apr 30, 2014 at 3:29 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> I have this open issue on Fetch:
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=22262
>
> I was wondering, once we have integration between Fetch and CSP, would
> it make sense for CSP to define the mixed content blocking rules?
> Fetch should give sufficient context to execute those rules, no? Would
> be great to have it defined.
>
>
> --
> http://annevankesteren.nl/
>
>
Received on Wednesday, 7 May 2014 13:15:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC