On Mon, Jan 19, 2015 at 8:12 PM, Brian Smith <brian@briansmith.org> wrote:
> Mike West <mkwst@google.com> wrote:
> > I think that treating optionally blockable content in frames as blockable
> > would be a fine thing for vendors to experiment with.
>
> OK.
>
> Would adding a policy of "Content-Security-Policy:
> strict-mixed-content-checking" have any effects implicitly other than
> setting the strict mode flag? That is, would there any reason to not
> recommend that every web page (that doesn't intend to have mixed
> content) set a policy of "Content-Security-Policy:
> strict-mixed-content-checking"?
>
No, and no. Every website that cares should probably set this policy.
Another way of phrasing this question is "Is an empty policy
> equivalent to no policy?"
>
Yes.
> I'd like to suggest that you rename the directive to
> "no-mixed-content". I think "checking" in the name doesn't aid in
> comprehension and is just noise. I also think "no" would be clearer
> than "strict" in conveying the effects to a web developer who hasn't
> read the spec.
>
Sounds reasonable.
Any objections? Going once... going twice...
-mike
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)