Re: Strict mixed content checking (was Re: MIX: Exiting last call?)

On Mon, Jan 19, 2015 at 8:12 PM, Brian Smith <brian@briansmith.org> wrote:

> Mike West <mkwst@google.com> wrote:
> > I think that treating optionally blockable content in frames as blockable
> > would be a fine thing for vendors to experiment with.
>
> OK.
>
> Would adding a policy of "Content-Security-Policy:
> strict-mixed-content-checking" have any effects implicitly other than
> setting the strict mode flag? That is, would there any reason to not
> recommend that every web page (that doesn't intend to have mixed
> content) set a policy of "Content-Security-Policy:
> strict-mixed-content-checking"?
>

No, and no. Every website that cares should probably set this policy.

Another way of phrasing this question is "Is an empty policy
> equivalent to no policy?"
>

Yes.


> I'd like to suggest that you rename the directive to
> "no-mixed-content". I think "checking" in the name doesn't aid in
> comprehension and is just noise. I also think "no" would be clearer
> than "strict" in conveying the effects to a web developer who hasn't
> read the spec.
>

Sounds reasonable.

Any objections? Going once... going twice...

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Monday, 19 January 2015 19:28:15 UTC