Re: Comments on Mixed Content

On Thu, Jan 15, 2015 at 1:27 AM, David Walp <David.Walp@microsoft.com>
wrote:

> We understand your arguments.  We already live with these issues every
> day.  Being able to handle the intranet different from the internet is
> important to a number of customers.   Provided we not consider out of
> compliance for how we handle the intranet, we are fine with the spec as it
> is.
>

There is nothing in the spec that distinguishes between private and public
networks (and, in fact, such a distinction
<http://www.w3.org/TR/2014/WD-mixed-content-20140916/#private-origin>
was actively
removed from the spec
<https://github.com/w3c/webappsec/commit/802cc2959b928d3ef0e35a974bff81ce161ae25e>),
and I don't believe adding an intranet carveout to the spec is a good idea.

>>> 7) Section 5.1, Example 5 - "even though the framed data URL was not".
> >>> We believe the text "even though the framed data URL was not" is
> incomplete.  Our opinion is that data URL should be treated the same as the
> web page that contains
> >>> the data URL.
>
> >>As a.com was loaded over a secure connection, the framed data URL
> inherited the secure context of its parent and hence loading from evil.com
> is blocked.  Make sense?
>
> >It's not clear that we're disagreeing about the conclusions here. :) Do
> you still think the wording needs to be changed?
>
> We think more explicit here would be helpful.
>

Does
https://github.com/w3c/webappsec/commit/537aa36231ba52455917b9a0a81deb6b6ad475d6
address your concern?

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)