W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Secure Contexts to CR? (Re: [webappsec] Teleconference Agenda: 27-Jan-2016)

From: Mike West <mkwst@google.com>
Date: Tue, 26 Jan 2016 12:51:03 +0100
Message-ID: <CAKXHy=dCBgw0itUqvAOLXCE0bdeRYsQyfjmvVJTiyA8mr7Bicg@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>, Boris Zbarsky <bzbarsky@mit.edu>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jan 25, 2016 at 8:55 PM, Brad Hill <hillbrad@gmail.com> wrote:

> I think that Mike has already identified some key areas of improvement
> with CSP3 by targeting smaller, more modular specs, but even on some quite
> small ones like Mixed Content and Secure Contexts, we're still at something
> of a standstill.

Forking this thread for this tiny topic:

>From my perspective, "Secure Contexts" is feature-complete (which is also
why I haven't been investing time in it :) ). Boris (CC'd) raised some
issues with the spec text at the end of last year, and I believe I've
addressed those in the current draft. I'll take another pass over it this
week or next, but I think it's fairly sane and self-consistent at this
point. I'd encourage folks to take a look at the document over the next few
days to see if y'all agree.

There might be some open work for Fetch and HTML (
https://github.com/w3c/webappsec-secure-contexts/issues/5), but I believe
those won't effect this document's language.

The only open issue that has active disagreement is tangential to the main
spec: we'd like to define a `[SecureContext]` IDL attribute, and it's not
clear whether it should only cause calls to throw/reject, or whether we
should actively remove APIs from secure contexts. I encourage folks who
care to follow the conversation at https://github.com/heycam/webidl/pull/65.

Received on Tuesday, 26 January 2016 11:51:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC