Hello, WebAppSec and TAG,
This is a call for consensus to transition Secure Contexts to Candidate
Recommendation with the document at:
https://w3c.github.io/webappsec-secure-contexts/CR.html
Since the last time we formally discussed this spec, we've cleaned up
examples and algorithms based on some very helpful feedback from folks at
Mozilla working on their implementation (thanks Boris and Jonathan!), as
well as interested folks from the TAG and elsewhere (thanks to Anne and
Domenic in particular).
The core of the specification is already used in a number of specifications
to gate certain features (like Service Workers) to contexts which offer
guarantees about their usage, and browser vendors seem interested in
implementing.
One substantive change since the last time around is the sandbox behavior
in
https://w3c.github.io/webappsec-secure-contexts/CR.html#monkey-patching-sandbox-flags,
which now defaults to forcing a sandboxed frame into "non-secure context"
status, and requires a new 'allow-secure-context' token to allow the
context to be treated as secure. It's not clear whether we can ship that
change; it's marked as "at risk" pending gathering some metrics.
Note also that this document references WHATWG documents in a few places
where the W3C version is out of date. I'm sure we'll have some exciting
conversations about those references:
https://w3c.github.io/webappsec-secure-contexts/CR.html#index-defined-elsewhere
contains a complete list.
The deadline for this CfC is in two weeks, on August 2nd. Feedback, both
positive and negative is welcome, either directly to the list, or via some
sort of clever emoji response to
https://github.com/w3c/webappsec-secure-contexts/issues/39.
Thanks!
-mike