W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: CfC: Republish MIX as CR; deadline July 29th.

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 04 Aug 2015 23:50:58 +0000
Message-ID: <CAEeYn8h2T4qco17zw4v_A+c9zw-TvFcbHyHqyToz4=9sk1gkRw@mail.gmail.com>
To: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>
Cc: Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
After reading this thread, it seems to have reached a conclusion, and I see
that there is one new issue opened related to displaying Mixed Content UI
when something insecure if fetched or retrieved from the Cache API.
https://github.com/w3c/webappsec/issues/412

I do not see any PRs to address this issue.

Is this:

1) A consensus blocker?
2) Something that can be done entirely in Fetch, or does it require changes
to MIX?
3) Acceptable as a Level 2 feature?

-Brad

On Thu, Jul 30, 2015 at 4:22 AM Mike West <mkwst@google.com> wrote:

> I think this is the semantic we need for MIX. If you implement it in
> Fetch, brilliant. If not, I think I'll need to implement it in MIX, which
> is less brilliant, but fine.
>
> -mike
> On Jul 30, 2015 12:41, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>
>> On Thu, Jul 30, 2015 at 12:26 PM, Mike West <mkwst@google.com> wrote:
>> > Still, examining the `window` and `client` property sees like a strange
>> way
>> > of asking "Is this a passthrough request?" One way of dealing with that
>> > indirection is to bake it into Fetch. Another is to rewrite the
>> algorithm in
>> > MIX to make more sense. It sounds like you'd prefer the latter, Anne.
>>
>> I'm not sure, I haven't made up my mind. Indicating "passthrough" in
>> some way might have value elsewhere too, though I can't immediately
>> think of anything. It is a bit weird how this works out for MIX, but
>> copying context over for three values where that has use seems wrong
>> too. And we definitely need to keep client/window around for a whole
>> bunch of things.
>>
>>
>> --
>> https://annevankesteren.nl/
>>
>
Received on Tuesday, 4 August 2015 23:51:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC