- From: Arthur Barstow <art.barstow@gmail.com>
- Date: Mon, 10 Nov 2014 21:39:10 -0500
- To: public-webapps <public-webapps@w3.org>, Brad Hill <bhill@paypal.com>, Mike West <mkwst@google.com>
[ Bcc: public-review-announce ] All, This is a Request for Comments for the November 13 Last Call Working Draft of WebAppSec's Mixed Content specification: <http://www.w3.org/TR/2014/WD-mixed-content-20141113/> Please see in particular the spec's "Modifications to WebSockets" section <http://www.w3.org/TR/mixed-content/#websockets-integration>. Individual WG members are encouraged to provide individual feedback. If anyone in WebApps wants to propose an official group response, please do so ASAP, in reply to this e-mail so the group can discuss it. Comments should be sent to public-webappsec @ w3.org [1] by December 11. Presumably, the group also welcomes "silent review" type data such as "I reviewed section N.N and have no comments". Brad, Mike - other than the "Modifications to WebSockets" section, if there are any other specific section(s) you want WebApps to review, please let us know. -Thanks, AB -------- Original Message -------- Subject: Transition Announcement: Mixed Content to Last Call Working Draft Resent-Date: Tue, 11 Nov 2014 01:08:43 +0000 Resent-From: chairs@w3.org Date: Tue, 11 Nov 2014 01:08:15 +0000 From: Brad Hill <hillbrad@fb.com> To: chairs@w3.org <chairs@w3.org> CC: webapps@w3.org <webapps@w3.org>, public-html-media@w3.org <public-html-media@w3.org>, public-geolocation@w3.org <public-geolocation@w3.org> On behalf of the WebAppSec WG I would like to announce the transition of Mixed Content to Last Call Working Draft and request review and comment by all interested parties. The document will be officially published on Nov 13 at: http://www.w3.org/TR/2014/WD-mixed-content-20141113/ Abstract: --------- Mixed Content describes how user agents should handle rendering and execution of content loaded over unencrypted or unauthenticated connections in the context of an encrypted and authenticated document. Laypersons Abstract: -------------------- In less security jargony terms, this report is about normalizing and locking down browser behavior when e.g. an image or script is (asked to be) loaded over http from an https resource. The spec defines categories for both "blockable" and "optionally-blockable" content with the recognition that, "draconian blocking policies applied to some types of mixed content are (for the moment) infeasible." The draft also speaks to "Secure Contexts for Powerful Features", a potentially cross-cutting concern for many Web APIs. If you are considering or people are asking your WG to only allow access to an API from a secure context, this document defines how the determination of a secure context is made, and you should review it. A modification to the WebSocket constructor algorithm is also made to forbid the creation of insecure web sockets, and the completion of wss:// sockets that are weakly TLS-protected, from secure contexts which restrict mixed content. Who should review and comment: ------------------------------ In particular, I am aware that at least the WebApps, Geolocation, HTML (for EME) and WebCrypto WGs all have APIs which require or are being debated to possibly require a secure context and we request review and comments from these groups. The deadline for Last Call comments is 11 December 2014, and feedback should be sent to public-webappsec@w3.org. Thank you, Brad Hill Co-chair, WebAppSec WG
Received on Tuesday, 11 November 2014 02:39:34 UTC