- From: Mike West <mkwst@google.com>
- Date: Tue, 26 Jan 2016 12:51:03 +0100
- To: Brad Hill <hillbrad@gmail.com>, Boris Zbarsky <bzbarsky@mit.edu>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Tuesday, 26 January 2016 11:51:51 UTC
On Mon, Jan 25, 2016 at 8:55 PM, Brad Hill <hillbrad@gmail.com> wrote: > I think that Mike has already identified some key areas of improvement > with CSP3 by targeting smaller, more modular specs, but even on some quite > small ones like Mixed Content and Secure Contexts, we're still at something > of a standstill. > Forking this thread for this tiny topic: >From my perspective, "Secure Contexts" is feature-complete (which is also why I haven't been investing time in it :) ). Boris (CC'd) raised some issues with the spec text at the end of last year, and I believe I've addressed those in the current draft. I'll take another pass over it this week or next, but I think it's fairly sane and self-consistent at this point. I'd encourage folks to take a look at the document over the next few days to see if y'all agree. There might be some open work for Fetch and HTML ( https://github.com/w3c/webappsec-secure-contexts/issues/5), but I believe those won't effect this document's language. The only open issue that has active disagreement is tangential to the main spec: we'd like to define a `[SecureContext]` IDL attribute, and it's not clear whether it should only cause calls to throw/reject, or whether we should actively remove APIs from secure contexts. I encourage folks who care to follow the conversation at https://github.com/heycam/webidl/pull/65. -mike
Received on Tuesday, 26 January 2016 11:51:51 UTC