Re: Strict mixed content checking (was Re: MIX: Exiting last call?)

Mike West <mkwst@google.com> wrote:
> I think that treating optionally blockable content in frames as blockable
> would be a fine thing for vendors to experiment with.

OK.

Would adding a policy of "Content-Security-Policy:
strict-mixed-content-checking" have any effects implicitly other than
setting the strict mode flag? That is, would there any reason to not
recommend that every web page (that doesn't intend to have mixed
content) set a policy of "Content-Security-Policy:
strict-mixed-content-checking"?

Another way of phrasing this question is "Is an empty policy
equivalent to no policy?"

I'd like to suggest that you rename the directive to
"no-mixed-content". I think "checking" in the name doesn't aid in
comprehension and is just noise. I also think "no" would be clearer
than "strict" in conveying the effects to a web developer who hasn't
read the spec.

Cheers,
Brian

Received on Monday, 19 January 2015 19:13:23 UTC