RfC: WebAppSec's Last Call Working Draft of Mixed Content; deadline December 11

[ Bcc: public-review-announce ]

All,

This is a Request for Comments for the November 13 Last Call Working 
Draft of WebAppSec's Mixed Content specification:

<http://www.w3.org/TR/2014/WD-mixed-content-20141113/>

Please see in particular the spec's "Modifications to WebSockets" 
section <http://www.w3.org/TR/mixed-content/#websockets-integration>.

Individual WG members are encouraged to provide individual feedback.

If anyone in WebApps wants to propose an official group response, please 
do so ASAP, in reply to this e-mail so the group can discuss it.

Comments should be sent to public-webappsec @ w3.org [1] by December 11. 
Presumably, the group also welcomes "silent review" type data such as "I 
reviewed section N.N and have no comments".

Brad, Mike - other than the "Modifications to WebSockets" section, if 
there are any other specific section(s) you want WebApps to review, 
please let us know.

-Thanks, AB

-------- Original Message --------
Subject: 	Transition Announcement: Mixed Content to Last Call Working Draft
Resent-Date: 	Tue, 11 Nov 2014 01:08:43 +0000
Resent-From: 	chairs@w3.org
Date: 	Tue, 11 Nov 2014 01:08:15 +0000
From: 	Brad Hill <hillbrad@fb.com>
To: 	chairs@w3.org <chairs@w3.org>
CC: 	webapps@w3.org <webapps@w3.org>, public-html-media@w3.org 
<public-html-media@w3.org>, public-geolocation@w3.org 
<public-geolocation@w3.org>



On behalf of the WebAppSec WG I would like to announce the transition of
Mixed Content to Last Call Working Draft and request review and comment by
all interested parties.

The document will be officially published on Nov 13 at:

http://www.w3.org/TR/2014/WD-mixed-content-20141113/

Abstract:
---------
Mixed Content describes how user agents should handle rendering and
execution of content loaded over unencrypted or unauthenticated
connections in the context of an encrypted and authenticated document.


Laypersons Abstract:
--------------------
In less security jargony terms, this report is about normalizing and
locking down browser behavior when  e.g. an image or script is (asked to
be) loaded over http from an https resource.  The spec defines categories
for both "blockable" and "optionally-blockable" content with the
recognition that, "draconian blocking policies applied to some types of
mixed content are (for the moment) infeasible."

The draft also speaks to "Secure Contexts for Powerful Features", a
potentially cross-cutting concern for many Web APIs.  If you are
considering or people are asking your WG to only allow access to an API
from a secure context, this document defines how the determination of a
secure context is made, and you should review it.

A modification to the WebSocket constructor algorithm is also made to
forbid the creation of insecure web sockets, and the completion of wss://
sockets that are weakly TLS-protected, from secure contexts which restrict
mixed content.



Who should review and comment:
------------------------------
In particular, I am aware that at least the WebApps, Geolocation, HTML
(for EME) and WebCrypto WGs all have APIs which require or are being
debated to possibly require a secure context and we request review and
comments from these groups.




The deadline for Last Call comments is 11 December 2014, and feedback
should be sent to public-webappsec@w3.org.

Thank you,

Brad Hill
Co-chair, WebAppSec WG

Received on Tuesday, 11 November 2014 02:39:33 UTC