Re: CSP and mixed content

Do you think a 'secure-stuff' primitive would be useful, or would you like
Fetch to define what "secure" means?


Mike West <>
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Wed, May 7, 2014 at 3:19 PM, Anne van Kesteren <> wrote:

> On Wed, May 7, 2014 at 2:14 PM, Mike West <> wrote:
> > That makes sense to me. CSP could certainly be used to explain how mixed
> > content is blocked. If the resource is loaded over a secure channel, we
> > could apply a base policy of `script-src https:; style-src https:;
> > object-src https:; connect-src https: wss:` and allow the page to
> tighten it
> > from there. Is that what you had in mind?
> Yeah something like that. Basically when Fetch does its CSP check
> (however we decide to do that, separate thread), CSP ensures "mixed
> content" is disallowed. Making that a default policy could be a way of
> explaining it.
> > For this particular use case, it might make sense to define some sort of
> > keyword for "secure content", as 'https:' doesn't actually reflect the
> > extent of what user agents might consider securely transported.
> --

Received on Wednesday, 7 May 2014 13:22:17 UTC