- From: Mike West <mkwst@google.com>
- Date: Tue, 28 Oct 2014 17:09:18 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAKXHy=cmB_LAcJLvGm3M+7POFAPgCr1b6oa5jVXFmB8u2K_+zw@mail.gmail.com>
That works for me, and is more or less exactly what I'd have suggested. That said, one nit: Chrome has no need to distinguish between "deprecated" and "weak", but other browsers might. -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Tue, Oct 28, 2014 at 5:05 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, Oct 23, 2014 at 5:06 PM, Anne van Kesteren <annevk@annevk.nl> > wrote: > > So I guess whether something is weakly authenticated should first be > > exposed on a response. And then propagated by the navigate and run a > > worker algorithms somehow for environment settings objects. > > I would prefer not using http://www.w3.org/TR/wsc-ui/ as a building > block since it's not actively maintained. I think for now I'll just > define a "TLS state" field which is "protected", "deprecated", or > "none" and leave it up to implementers to pick between "protected" and > "deprecated" (that seems to be current best practice :/) and then > Mixed Content and co can build upon that. > > > -- > https://annevankesteren.nl/ >
Received on Tuesday, 28 October 2014 16:10:08 UTC