W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Strict mixed content checking (was Re: MIX: Exiting last call?)

From: Brian Smith <brian@briansmith.org>
Date: Mon, 19 Jan 2015 11:12:55 -0800
Message-ID: <CAFewVt7Y0tGZpznScKJYhjZXX9wy4977M94r5nX3ytFwDbwj9A@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: David Walp <David.Walp@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Michael Cooper <cooper@w3.org>
Mike West <mkwst@google.com> wrote:
> I think that treating optionally blockable content in frames as blockable
> would be a fine thing for vendors to experiment with.

OK.

Would adding a policy of "Content-Security-Policy:
strict-mixed-content-checking" have any effects implicitly other than
setting the strict mode flag? That is, would there any reason to not
recommend that every web page (that doesn't intend to have mixed
content) set a policy of "Content-Security-Policy:
strict-mixed-content-checking"?

Another way of phrasing this question is "Is an empty policy
equivalent to no policy?"

I'd like to suggest that you rename the directive to
"no-mixed-content". I think "checking" in the name doesn't aid in
comprehension and is just noise. I also think "no" would be clearer
than "strict" in conveying the effects to a web developer who hasn't
read the spec.

Cheers,
Brian
Received on Monday, 19 January 2015 19:13:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC