- From: Brad Hill <hillbrad@fb.com>
- Date: Tue, 11 Nov 2014 01:08:15 +0000
- To: "chairs@w3.org" <chairs@w3.org>
- CC: "webapps@w3.org" <webapps@w3.org>, "public-html-media@w3.org" <public-html-media@w3.org>, "public-geolocation@w3.org" <public-geolocation@w3.org>
On behalf of the WebAppSec WG I would like to announce the transition of Mixed Content to Last Call Working Draft and request review and comment by all interested parties. The document will be officially published on Nov 13 at: http://www.w3.org/TR/2014/WD-mixed-content-20141113/ Abstract: --------- Mixed Content describes how user agents should handle rendering and execution of content loaded over unencrypted or unauthenticated connections in the context of an encrypted and authenticated document. Laypersons Abstract: -------------------- In less security jargony terms, this report is about normalizing and locking down browser behavior when e.g. an image or script is (asked to be) loaded over http from an https resource. The spec defines categories for both "blockable" and "optionally-blockable" content with the recognition that, "draconian blocking policies applied to some types of mixed content are (for the moment) infeasible." The draft also speaks to "Secure Contexts for Powerful Features", a potentially cross-cutting concern for many Web APIs. If you are considering or people are asking your WG to only allow access to an API from a secure context, this document defines how the determination of a secure context is made, and you should review it. A modification to the WebSocket constructor algorithm is also made to forbid the creation of insecure web sockets, and the completion of wss:// sockets that are weakly TLS-protected, from secure contexts which restrict mixed content. Who should review and comment: ------------------------------ In particular, I am aware that at least the WebApps, Geolocation, HTML (for EME) and WebCrypto WGs all have APIs which require or are being debated to possibly require a secure context and we request review and comments from these groups. The deadline for Last Call comments is 11 December 2014, and feedback should be sent to public-webappsec@w3.org. Thank you, Brad Hill Co-chair, WebAppSec WG
Received on Tuesday, 11 November 2014 01:08:43 UTC