- From: Mike West <mkwst@google.com>
- Date: Wed, 7 May 2014 15:14:36 +0200
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAKXHy=ebnyvhOpMJbAmyNLnwzd7c33RJQRGiG+fy-tnGgwCRqw@mail.gmail.com>
That makes sense to me. CSP could certainly be used to explain how mixed content is blocked. If the resource is loaded over a secure channel, we could apply a base policy of `script-src https:; style-src https:; object-src https:; connect-src https: wss:` and allow the page to tighten it from there. Is that what you had in mind? For this particular use case, it might make sense to define some sort of keyword for "secure content", as 'https:' doesn't actually reflect the extent of what user agents might consider securely transported. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Wed, Apr 30, 2014 at 3:29 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > I have this open issue on Fetch: > https://www.w3.org/Bugs/Public/show_bug.cgi?id=22262 > > I was wondering, once we have integration between Fetch and CSP, would > it make sense for CSP to define the mixed content blocking rules? > Fetch should give sufficient context to execute those rules, no? Would > be great to have it defined. > > > -- > http://annevankesteren.nl/ > >
Received on Wednesday, 7 May 2014 13:15:24 UTC