W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2014

Re: CSP and mixed content

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 7 May 2014 14:19:17 +0100
Message-ID: <CADnb78j+ZypDX30Zm=eWp3x+0_CoVwu+pUqmzCCa9aJr2q9=YA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, May 7, 2014 at 2:14 PM, Mike West <mkwst@google.com> wrote:
> That makes sense to me. CSP could certainly be used to explain how mixed
> content is blocked. If the resource is loaded over a secure channel, we
> could apply a base policy of `script-src https:; style-src https:;
> object-src https:; connect-src https: wss:` and allow the page to tighten it
> from there. Is that what you had in mind?

Yeah something like that. Basically when Fetch does its CSP check
(however we decide to do that, separate thread), CSP ensures "mixed
content" is disallowed. Making that a default policy could be a way of
explaining it.

> For this particular use case, it might make sense to define some sort of
> keyword for "secure content", as 'https:' doesn't actually reflect the
> extent of what user agents might consider securely transported.

Received on Wednesday, 7 May 2014 13:19:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC