I think we're getting pretty close to pushing the mixed content spec to
Last Call. The interesting bits I know of have been resolved by:
1. Dropping the public/private distinction from MIX, kicking it out to
"Secure Introduction of Internet-Connected Things"[1] which folks are
discussing separately.
2. Moving the TLS checks to a new attribute on the Request's client, and on
the Response, which Anne was kind enough to add to Fetch for me. It's
currently named "authentication state", which probably needs some
bikeshedding, but the name shouldn't block progress on MIX.
3. The TAG's substantive feedback (handcrafted and delivered by mnot@) has
been addressed, and we can discuss resolution of the nits during the last
call phase.
I don't believe there are any substantive controversies remaining, but if
I've missed anything, this CfC is a nice forcing function to get it out
into the open. :)
Please read through the current draft, up for review at
https://w3c.github.io/webappsec/specs/mixedcontent/, and send comments to
public-webappsec@w3.org. Positive feedback is encouraged!
This CfC will end in a week, on November 5th, 2014.
Thanks!
[1]:
https://readable-email.org/list/public-webappsec/topic/secure-introduction-of-internet-connected-things-was-re-webappsec-agenda-for-monday-teleconference-2014-10-20-12-00-pdt
--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)