- From: Brian Smith <brian@briansmith.org>
- Date: Thu, 13 Nov 2014 20:34:07 -0800
- To: Ryan Sleevi <sleevi@google.com>
- Cc: Mike West <mkwst@google.com>, Brad Hill <hillbrad@fb.com>, Anne van Kesteren <annevk@annevk.nl>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Nov 13, 2014 at 7:27 PM, Ryan Sleevi <sleevi@google.com> wrote:
> So, that's a lot of hypotheticals. My gut is that they're correct - but we
> need empirical data, either due to a browser implementing it ("Damn the
> torpedoes!") or through telemetry/metrics.
I agree.
> Since I like security more than complexity, consider it a +1 to spec'ing it,
> and then we revisit during whenever that point during the revised W3C
> process where people actually implement and discover it might need to be
> opt-in for some time before (eventually) becoming default.
I think this can be specified by just adding a couple of sentences
and/or bullet points to the existing Mixed Content draft. I am happy
to write that up, if people agree.
If it turns out to be a compatibility nightmare then we can just cut
it from Mixed Content before it hits Recommendation status.
Cheers,
Brian
Received on Friday, 14 November 2014 04:34:34 UTC