W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [webappsec] Rechartering: force secure-only child browsing contexts

From: Brian Smith <brian@briansmith.org>
Date: Thu, 13 Nov 2014 20:34:07 -0800
Message-ID: <CAFewVt45G0WGQkFq-u-rRiuuE7GS5d0TZVkb5+S0NQBk_1Gxfg@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
Cc: Mike West <mkwst@google.com>, Brad Hill <hillbrad@fb.com>, Anne van Kesteren <annevk@annevk.nl>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Nov 13, 2014 at 7:27 PM, Ryan Sleevi <sleevi@google.com> wrote:
> So, that's a lot of hypotheticals. My gut is that they're correct - but we
> need empirical data, either due to a browser implementing it ("Damn the
> torpedoes!") or through telemetry/metrics.

I agree.

> Since I like security more than complexity, consider it a +1 to spec'ing it,
> and then we revisit during whenever that point during the revised W3C
> process where people actually implement and discover it might need to be
> opt-in for some time before (eventually) becoming default.

I think this can be specified by just adding a couple of sentences
and/or bullet points to the existing Mixed Content draft. I am happy
to write that up, if people agree.

If it turns out to be a compatibility nightmare then we can just cut
it from Mixed Content before it hits Recommendation status.

Received on Friday, 14 November 2014 04:34:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC