Hello, WebAppSec!
On the Feb. 9th call[1], we concluded that it was probably time to take the
Mixed Content spec to CR. To that end, I've published a draft CR document
at
https://w3c.github.io/webappsec/specs/mixedcontent/published/2015-02-CR.html
.
I believe the only open question is whether or not to merge the "Upgrade
insecure requests" draft into the Mixed Content draft. Brian suggested
doing so in [3]. I've responded at [4], but I'd like to explicitly request
feedback on this topic from the rest of the list. I see ~3ish paths forward:
1. Publish MIX as-is, and work on the upgrade spec as a separate document.
2. Publish MIX as-is, and integrate the upgrade spec into MIX Level 2.
3. Integrate the upgrade spec into MIX, and hold off on the CR transition.
I'd prefer #1, for the reasons outlined in [4]. What do you think
(especially you folks who are CCd on this thread)?
In any event, a complete list of changes to the mixed content spec since
the November 13th Last Call draft[2] can be found at [5]. Please send any
and all comments to public-webappsec@w3.org. Feedback is encouraged. :)
This CfC will end with our next scheduled call, on Feb 23rd.
[1]: http://www.w3.org/2015/02/09-webappsec-minutes.html#item04
[2]: http://www.w3.org/TR/2014/WD-mixed-content-20141113/
[3]: https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0222.html
[4]: https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0239.html
[5]:
https://github.com/w3c/webappsec/commits/master/specs/mixedcontent/index.src.html
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft:
Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)