[mixed-content] from timeless on 2015-11-16 (public-webappsec@w3.org from November 2015)

From: timeless <timeless@gmail.com>
Date: Mon, 16 Nov 2015 15:08:13 -0500
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CACsW8eEwn1g3mkTG6s5MZYgc7iFQoKANCOwmgv=YvL==p2cnLA@mail.gmail.com>

> Mixed Content [1]
> feedback due by: 2015-10-22

sorry for the delay

Notifier wrote:
> It means that the WG believes the feature may have difficulting [sic] being interoperably implemented in a timely manner,

difficulty

> This is potentially confusing, but given the term’s near ubiquitious [sp]

> The fact that Service Workers sit inbetween [sp] a document and the network

in-between

Or just `between`.

> Together, these assertions give the user some assurance that example.com is the only entity that can read and respond to her requests (caveat: without shocking amounts of work) and that the bits she’s received are indeed those that example.com actually sent.

example.com and her own computer / UA.

> (scripts, images, etc)

etc.

> A resource’s origin is said to be insecure if it is either a priori insecure, or the user agent discovers only after performing a TLS-handshake that the Response’s HTTPS state is deprecated authentication.

Fetch [2] only has `deprecated` in teletype, there's no `authentication` there.

> Note: Note [sic] that requests made on behalf of a plugin are blockable.

Drop `Note that`

> 1. treat optionally-blockable mixed content as though it were blockable.
> 4. ensure that these requirements are applied to any Document in a nested browsing context, as described in §4.3 Inheriting an opt-in.

Please capitalize `Treat` and `Ensure`.

> Note: This requirement does not include developer-facing indicators such as console messages.

include => preclude ?

> If settings' HTTPS state is not none, then return Restricts Mixed Content.

settings's or settings object's

> If embedder settings' HTTPS state is not None, then return Restricts mixed content.

similarly

> Window object (the Service Worker’s request’s client, on the other hand, will be a WorkerGlobalScope object.

There's no `)`

> The user agent has been instructed to allow mixed content, as described in §7.4 User Controls).

Ok, there's a `)` without a `(`, but I don't seriously think it
matches that one.

> Remove the current step 2.

It'd be helpful if this were a link or included some text so a reader
could be sure they were removing the right step 2...

> when applied to a Document's incumbent settings object

You generally use fancy quotes, except here.

> Fetch event (e.g. fetch(event.response) should be executable inside the event handler.

Unclosed `(`











[1] http://www.w3.org/TR/2015/CR-mixed-content-20151008/
[2] https://fetch.spec.whatwg.org/#concept-response-https-state

Received on Monday, 16 November 2015 20:08:41 UTC