mixed content level 2 spec from Emily Stark on 2019-09-05 (public-webappsec@w3.org from September 2019)

From: Emily Stark <estark@google.com>
Date: Wed, 4 Sep 2019 19:22:31 -0700
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Carlos Joan Rafael Ibarra Lopez <carlosil@google.com>, Mike West <mkwst@google.com>
Message-ID: <CAPP_2Sati-uJk6DA44pEEDZjgN_udOMVcN40bzFgw337BLwXgA@mail.gmail.com>

Hi everyone,

We've been discussing what Mixed Content Level 2 might look like for quite
a while now. We finally got around to writing up a draft of a spec:
https://w3c.github.io/webappsec-mixed-content/level2.html

This document specifies that optionally-blockable content should be
upgraded to HTTPS, and blocked if the upgrade fails. We are also
experimenting with autoupgrading blockable content, though our priority is
to first ship autoupgrading for optionally-blockable content so that all
mixed content is upgraded or blocked by default.

We've had autoupgrading running as an experiment in Chrome for quite some
time, and it's now at 50% of beta channel. We're seeing somewhere in the
neighborhood of 1% of page loads with a broken subresource due to
autoupgrading. Therefore, we're working on a plan to ship autoupgrading
gradually, starting with less common resource types (audio, video) and
progressing to images. We hope to have more details to share regarding
timeline for shipping by TPAC.

Feedback welcome, here or on github!

Thanks,
Emily

Received on Thursday, 5 September 2019 02:23:10 UTC