Re: [webappsec] Rechartering: force secure-only child browsing contexts

On Thu, Nov 13, 2014 at 7:11 PM, Brian Smith <> wrote:

> Mike West <> wrote:
> > I think this is a pretty reasonable concept to add to MIX.
> >
> > It's not clear to me whether it should be the default behavior, or
> whether
> > it should be opted-into (similar to `sandbox`).
> Obviously, if it cannot be done by default, then it could be added as
> a sandbox directive. But, if we can avoid adding any new mechanism,
> then that is greatly preferable, for simplicity's sake.
> Cheers,
> Brian

So, that's a lot of hypotheticals. My gut is that they're correct - but we
need empirical data, either due to a browser implementing it ("Damn the
torpedoes!") or through telemetry/metrics.

Since I like security more than complexity, consider it a +1 to spec'ing
it, and then we revisit during whenever that point during the revised W3C
process where people actually implement and discover it might need to be
opt-in for some time before (eventually) becoming default.

Received on Friday, 14 November 2014 03:28:02 UTC