Re: CSP and mixed content

On Wed, May 7, 2014 at 2:14 PM, Mike West <mkwst@google.com> wrote:
> That makes sense to me. CSP could certainly be used to explain how mixed
> content is blocked. If the resource is loaded over a secure channel, we
> could apply a base policy of `script-src https:; style-src https:;
> object-src https:; connect-src https: wss:` and allow the page to tighten it
> from there. Is that what you had in mind?

Yeah something like that. Basically when Fetch does its CSP check
(however we decide to do that, separate thread), CSP ensures "mixed
content" is disallowed. Making that a default policy could be a way of
explaining it.


> For this particular use case, it might make sense to define some sort of
> keyword for "secure content", as 'https:' doesn't actually reflect the
> extent of what user agents might consider securely transported.


-- 
http://annevankesteren.nl/

Received on Wednesday, 7 May 2014 13:19:44 UTC