W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Comments on Mixed Content

From: Mike West <mkwst@google.com>
Date: Thu, 15 Jan 2015 10:00:46 +0100
Message-ID: <CAKXHy=ftSKdJJSnUQgwVtM2=6gv12WzgBQS8zu9XHSWpbzGMqA@mail.gmail.com>
To: David Walp <David.Walp@microsoft.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Chris Palmer <palmer@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jan 15, 2015 at 1:27 AM, David Walp <David.Walp@microsoft.com>

> We understand your arguments.  We already live with these issues every
> day.  Being able to handle the intranet different from the internet is
> important to a number of customers.   Provided we not consider out of
> compliance for how we handle the intranet, we are fine with the spec as it
> is.

There is nothing in the spec that distinguishes between private and public
networks (and, in fact, such a distinction
was actively
removed from the spec
and I don't believe adding an intranet carveout to the spec is a good idea.

>>> 7) Section 5.1, Example 5 - "even though the framed data URL was not".
> >>> We believe the text "even though the framed data URL was not" is
> incomplete.  Our opinion is that data URL should be treated the same as the
> web page that contains
> >>> the data URL.
> >>As a.com was loaded over a secure connection, the framed data URL
> inherited the secure context of its parent and hence loading from evil.com
> is blocked.  Make sense?
> >It's not clear that we're disagreeing about the conclusions here. :) Do
> you still think the wording needs to be changed?
> We think more explicit here would be helpful.

address your concern?


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 15 January 2015 09:01:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC