Re: Strict mixed content checking (was Re: MIX: Exiting last call?)

On Wed, Dec 17, 2014 at 9:08 AM, Mike West <mkwst@google.com> wrote:
>
> On Dec 16, 2014 9:35 PM, "Brian Smith" <brian@briansmith.org> wrote:
>
>> On Mon, Dec 15, 2014 at 10:39 PM, Mike West <mkwst@google.com> wrote:
>> > Hrm. I don't think we can do this by default; if we could, we wouldn't
>> be
>> > making a distinction between blockable and optionally-blockable at all,
>> but
>> > it seems like there's general agreement that we're not there yet.
>> >
>> > How do you see strict-mode-by-default playing out?
>>
>> I mean, do not block optionally-blockable content within the main
>> document, but block it by default in all frames. That + "default-src
>> https wss" would be equivalent to your suggested
>> strict-mixed-content-checking directive.
>>
>
With the exception that CSP does not inherit to subframes (so you'd still
get the UI offering users the ability to load blockable mixed content), and
has script-related side effects ('unsafe-inline', 'unsafe-eval'), pretty
much yes.

I've added this as a suggested experiment in the "Further Action" section
of the spec:
https://w3c.github.io/webappsec/specs/mixedcontent/#further-action. I hope
that's a satisfactory compromise.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 17 December 2014 09:35:55 UTC