Aha, yes, my mistake. So then I more emphatically suggest that we need a resource-level flag. One of the other unfortunate things ads do is start as a <script> tag and then dynamically inject an <iframe>. Preventing any HTTP requests from happening in descendant contexts seems a reasonable goal. (even if <script> => <iframe> is a horrible pattern) On Mon Dec 15 2014 at 11:42:13 AM Mike West <mkwst@google.com> wrote: > On Mon, Dec 15, 2014 at 8:39 PM, Brad Hill <hillbrad@gmail.com> wrote: >> >> >> >>> I guess that would be implied by the iframe sandbox attribute which >>>> would be included-by-reference into CSP's sandbox directive. It just seems >>>> ugly that you'd have to set a sandbox and christmas-tree the flags to get >>>> this behavior. It also seems a bit out-of-pattern to add new flags to >>>> sandboxing in this way. All the other flags loosen the sandbox. >>>> >>> >>> I don't understand your point here. :/ >>> >> >> (sorry, slang decoder here: >> http://en.wikipedia.org/wiki/Christmas_tree_packet ) >> >> If the strict checking for descendants is the only behavior you want, you >> have to set sandbox on yourself, then opt-out of everything AND opt-in to >> this new flag. >> > > Ah, there's the confusion. This isn't a new sandbox flag for exactly that > reason. It's a new attribute on the iframe element. That is, you'd write > `<iframe strict-mixed-content-checking src="...">` (or whatever we called > it). > > -mike > > -- > Mike West <mkwst@google.com>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, > Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der > Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth > Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) > >>
Received on Monday, 15 December 2014 19:49:34 UTC