Hello, WebAppSec and TAG, This is a call for consensus to transition Secure Contexts to Candidate Recommendation with the document at: https://w3c.github.io/webappsec-secure-contexts/CR.html Since the last time we formally discussed this spec, we've cleaned up examples and algorithms based on some very helpful feedback from folks at Mozilla working on their implementation (thanks Boris and Jonathan!), as well as interested folks from the TAG and elsewhere (thanks to Anne and Domenic in particular). The core of the specification is already used in a number of specifications to gate certain features (like Service Workers) to contexts which offer guarantees about their usage, and browser vendors seem interested in implementing. One substantive change since the last time around is the sandbox behavior in https://w3c.github.io/webappsec-secure-contexts/CR.html#monkey-patching-sandbox-flags, which now defaults to forcing a sandboxed frame into "non-secure context" status, and requires a new 'allow-secure-context' token to allow the context to be treated as secure. It's not clear whether we can ship that change; it's marked as "at risk" pending gathering some metrics. Note also that this document references WHATWG documents in a few places where the W3C version is out of date. I'm sure we'll have some exciting conversations about those references: https://w3c.github.io/webappsec-secure-contexts/CR.html#index-defined-elsewhere contains a complete list. The deadline for this CfC is in two weeks, on August 2nd. Feedback, both positive and negative is welcome, either directly to the list, or via some sort of clever emoji response to https://github.com/w3c/webappsec-secure-contexts/issues/39. Thanks! -mike
Received on Tuesday, 19 July 2016 13:22:47 UTC