- From: Brian Smith <brian@briansmith.org>
- Date: Mon, 19 Jan 2015 11:12:55 -0800
- To: Mike West <mkwst@google.com>
- Cc: David Walp <David.Walp@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Michael Cooper <cooper@w3.org>
Mike West <mkwst@google.com> wrote: > I think that treating optionally blockable content in frames as blockable > would be a fine thing for vendors to experiment with. OK. Would adding a policy of "Content-Security-Policy: strict-mixed-content-checking" have any effects implicitly other than setting the strict mode flag? That is, would there any reason to not recommend that every web page (that doesn't intend to have mixed content) set a policy of "Content-Security-Policy: strict-mixed-content-checking"? Another way of phrasing this question is "Is an empty policy equivalent to no policy?" I'd like to suggest that you rename the directive to "no-mixed-content". I think "checking" in the name doesn't aid in comprehension and is just noise. I also think "no" would be clearer than "strict" in conveying the effects to a web developer who hasn't read the spec. Cheers, Brian
Received on Monday, 19 January 2015 19:13:23 UTC