W3C home > Mailing lists > Public > public-html-media@w3.org > November 2014

Transition Announcement: Mixed Content to Last Call Working Draft

From: Brad Hill <hillbrad@fb.com>
Date: Tue, 11 Nov 2014 01:08:15 +0000
To: "chairs@w3.org" <chairs@w3.org>
CC: "webapps@w3.org" <webapps@w3.org>, "public-html-media@w3.org" <public-html-media@w3.org>, "public-geolocation@w3.org" <public-geolocation@w3.org>
Message-ID: <D086A17F.D8B%hillbrad@fb.com>
On behalf of the WebAppSec WG I would like to announce the transition of
Mixed Content to Last Call Working Draft and request review and comment by
all interested parties.

The document will be officially published on Nov 13 at:

http://www.w3.org/TR/2014/WD-mixed-content-20141113/


Abstract:
---------
Mixed Content describes how user agents should handle rendering and
execution of content loaded over unencrypted or unauthenticated
connections in the context of an encrypted and authenticated document.


Laypersons Abstract:
--------------------
In less security jargony terms, this report is about normalizing and
locking down browser behavior when  e.g. an image or script is (asked to
be) loaded over http from an https resource.  The spec defines categories
for both "blockable" and "optionally-blockable" content with the
recognition that, "draconian blocking policies applied to some types of
mixed content are (for the moment) infeasible."

The draft also speaks to "Secure Contexts for Powerful Features", a
potentially cross-cutting concern for many Web APIs.  If you are
considering or people are asking your WG to only allow access to an API
from a secure context, this document defines how the determination of a
secure context is made, and you should review it.

A modification to the WebSocket constructor algorithm is also made to
forbid the creation of insecure web sockets, and the completion of wss://
sockets that are weakly TLS-protected, from secure contexts which restrict
mixed content.



Who should review and comment:
------------------------------
In particular, I am aware that at least the WebApps, Geolocation, HTML
(for EME) and WebCrypto WGs all have APIs which require or are being
debated to possibly require a secure context and we request review and
comments from these groups.




The deadline for Last Call comments is 11 December 2014, and feedback
should be sent to public-webappsec@w3.org.

Thank you,

Brad Hill
Co-chair, WebAppSec WG


Received on Tuesday, 11 November 2014 01:08:44 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:33:05 UTC