On 29 July 2013 17:47, Stefan Arentz <sare...@mozilla.com> wrote: > Can CSP play a role here? > > What if my site is on https://foo.com and I set connect-src to http://foo.com > ? Would that override the mixed content blocking? If not, is that something > we should implement? >
Interesting idea. I'm pretty sure we don't do this now (remembering the code; untested). Indeed, the idea of CSP is for a page to lock down the external sources, not open them up. Rather than setting a CORS-style header on the WebSocket resource ("X-Access-Control-Security: externally-verifiable"), we could make a new CSP header for the hosting page ("X-Content-Security-Policy-Allow: connect-src 'http-self'") to add in extra policy options for the page. It's hard to say which is better. Perhaps the per-resource CORS approach is preferable. Nicholas _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security