W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CfC: Mixed Content to PR; deadline July 6th.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 6 Jul 2015 17:00:09 +0200
Message-ID: <CADnb78j1HW7KVGGYxX-Hu=Mu=yec1Ekws4wDWyEf_NdJx2dAxQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Kristijan Burnik <burnik@google.com>, Ryan Sleevi <sleevi@google.com>
On Mon, Jul 6, 2015 at 4:51 PM, Mike West <mkwst@google.com> wrote:
> Another option that I could live with would be to drop the concept from the
> spec explicitly, and to simply rely on Fetch's "HTTPS State" in
> https://w3c.github.io/webappsec/specs/mixedcontent/#should-block-response.
> This has the practical effect of making it possible for Chrome to continue
> our SHA-1 deprecation plans, simply deferring the conversation around
> "deprecation" from MIX to Fetch. I'm not sure that's an improvement. WDYT,
> Brian and Anne?

It seems like a net improvement to ground things in primitives. Now
whether that primitive should exist... I'm kind of okay keeping it.
TLS stack transitions are never really clean so giving user agents
some leeway there seems fine.

Received on Monday, 6 July 2015 15:00:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:49 UTC