- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 7 May 2014 14:19:17 +0100
- To: Mike West <mkwst@google.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, May 7, 2014 at 2:14 PM, Mike West <mkwst@google.com> wrote: > That makes sense to me. CSP could certainly be used to explain how mixed > content is blocked. If the resource is loaded over a secure channel, we > could apply a base policy of `script-src https:; style-src https:; > object-src https:; connect-src https: wss:` and allow the page to tighten it > from there. Is that what you had in mind? Yeah something like that. Basically when Fetch does its CSP check (however we decide to do that, separate thread), CSP ensures "mixed content" is disallowed. Making that a default policy could be a way of explaining it. > For this particular use case, it might make sense to define some sort of > keyword for "secure content", as 'https:' doesn't actually reflect the > extent of what user agents might consider securely transported. -- http://annevankesteren.nl/
Received on Wednesday, 7 May 2014 13:19:44 UTC