W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Comments on Mixed Content

From: Mike West <mkwst@google.com>
Date: Thu, 15 Jan 2015 10:00:46 +0100
Message-ID: <CAKXHy=ftSKdJJSnUQgwVtM2=6gv12WzgBQS8zu9XHSWpbzGMqA@mail.gmail.com>
To: David Walp <David.Walp@microsoft.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Chris Palmer <palmer@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jan 15, 2015 at 1:27 AM, David Walp <David.Walp@microsoft.com>
wrote:

> We understand your arguments.  We already live with these issues every
> day.  Being able to handle the intranet different from the internet is
> important to a number of customers.   Provided we not consider out of
> compliance for how we handle the intranet, we are fine with the spec as it
> is.
>

There is nothing in the spec that distinguishes between private and public
networks (and, in fact, such a distinction
<http://www.w3.org/TR/2014/WD-mixed-content-20140916/#private-origin>
was actively
removed from the spec
<https://github.com/w3c/webappsec/commit/802cc2959b928d3ef0e35a974bff81ce161ae25e>),
and I don't believe adding an intranet carveout to the spec is a good idea.

>>> 7) Section 5.1, Example 5 - "even though the framed data URL was not".
> >>> We believe the text "even though the framed data URL was not" is
> incomplete.  Our opinion is that data URL should be treated the same as the
> web page that contains
> >>> the data URL.
>
> >>As a.com was loaded over a secure connection, the framed data URL
> inherited the secure context of its parent and hence loading from evil.com
> is blocked.  Make sense?
>
> >It's not clear that we're disagreeing about the conclusions here. :) Do
> you still think the wording needs to be changed?
>
> We think more explicit here would be helpful.
>

Does
https://github.com/w3c/webappsec/commit/537aa36231ba52455917b9a0a81deb6b6ad475d6
address your concern?

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 15 January 2015 09:01:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC