- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 6 Jul 2015 17:00:09 +0200
- To: Mike West <mkwst@google.com>
- Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Kristijan Burnik <burnik@google.com>, Ryan Sleevi <sleevi@google.com>
On Mon, Jul 6, 2015 at 4:51 PM, Mike West <mkwst@google.com> wrote: > Another option that I could live with would be to drop the concept from the > spec explicitly, and to simply rely on Fetch's "HTTPS State" in > https://w3c.github.io/webappsec/specs/mixedcontent/#should-block-response. > This has the practical effect of making it possible for Chrome to continue > our SHA-1 deprecation plans, simply deferring the conversation around > "deprecation" from MIX to Fetch. I'm not sure that's an improvement. WDYT, > Brian and Anne? It seems like a net improvement to ground things in primitives. Now whether that primitive should exist... I'm kind of okay keeping it. TLS stack transitions are never really clean so giving user agents some leeway there seems fine. -- https://annevankesteren.nl/
Received on Monday, 6 July 2015 15:00:35 UTC