W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [webappsec] Rechartering: force secure-only child browsing contexts

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 10 Nov 2014 10:11:01 +0100
Message-ID: <CADnb78gCvmRS7uHBcoDebTeCYz+dRnDvW5Jfc85BbjYPp3-RjA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 10, 2014 at 1:07 AM, Brad Hill <hillbrad@gmail.com> wrote:
> Based on our survey results and discussion at TPAC, there is strong
> consensus NOT chartering work on enforcing secure only child browsing
> contexts at any level of nesting.
> The consensus was that this could be handled reasonably with existing
> mechanisms, such as only framing content from origins that themselves
> express an HSTS policy.

How exactly is that enforcement? The user can easily navigate away, no?

Received on Monday, 10 November 2014 09:11:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC