On Thu, Oct 30, 2014 at 9:35 AM, Mike West <mkwst@google.com> wrote: > > All these terms get irky when you apply them to resources created from >> blob or data URLs. >> > > +Chris Palmer, who loves nothing more than naming things. > How about this: let's avoid the problem entirely by just answering the question "Can I use powerful features in this context?": https://w3c.github.io/webappsec/specs/mixedcontent/#powerful-features > >> > I don't believe there are any substantive controversies remaining, but >> if >> > I've missed anything, this CfC is a nice forcing function to get it out >> into >> > the open. :) >> >> I think it is still problematic that it tries to make claims based on >> origins. I thought the idea was to do away with that and instead base >> those checks on objects that can actually assertions about involvement >> of TLS or localhost, namely responses and environment settings >> objects. >> > > Hrm. Yeah, I did want to do something with that. I'll poke at it today. > Rewrote the section, as above. Take a look! -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 30 October 2014 11:48:02 UTC