As we (briefly) discussed in the May 7th call[1] <http://www.w3.org/2011/webappsec/draft-minutes/2014-05-07-webappsec-minutes.html#item07>, mixed content is poorly defined, and doesn't really belong in either Fetch or CSP directly. I've put together a draft "Mixed Content" specification[2] <https://w3c.github.io/webappsec/specs/mixedcontent/> in the hopes of addressing those concerns. This draft does not attempt to invent new functionality, but instead to document and refine the mixed content behavior user agents already exhibit. I hope it contains no real surprises. Your feedback would be very much appreciated. Note: the algorithms and implementation rely heavily on the Fetch living standard, which Anne has been kind enough to offer to modify as outlined in section 6 of the draft[3] <https://w3c.github.io/webappsec/specs/mixedcontent/#fetch-integration>. [1]: http://www.w3.org/2011/webappsec/draft-minutes/2014-05-07-webappsec-minutes.html#item07 [2]: https://w3c.github.io/webappsec/specs/mixedcontent/ [3]: https://w3c.github.io/webappsec/specs/mixedcontent/#fetch-integration -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 30 May 2014 18:05:07 UTC