- From: Brad Hill <hillbrad@gmail.com>
- Date: Wed, 20 Jul 2016 21:18:10 +0000
- To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "www-tag@w3.org List" <www-tag@w3.org>
- Cc: Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
- Message-ID: <CAEeYn8i12Yh4M_KiMp=hN0JdbkU46r5kYpH6FCQYeuFA0_0afQ@mail.gmail.com>
<hat="individual"> I support this very much. On Tue, Jul 19, 2016 at 6:22 AM Mike West <mkwst@google.com> wrote: > Hello, WebAppSec and TAG, > > This is a call for consensus to transition Secure Contexts to Candidate > Recommendation with the document at: > > https://w3c.github.io/webappsec-secure-contexts/CR.html > > Since the last time we formally discussed this spec, we've cleaned up > examples and algorithms based on some very helpful feedback from folks at > Mozilla working on their implementation (thanks Boris and Jonathan!), as > well as interested folks from the TAG and elsewhere (thanks to Anne and > Domenic in particular). > > The core of the specification is already used in a number of > specifications to gate certain features (like Service Workers) to contexts > which offer guarantees about their usage, and browser vendors seem > interested in implementing. > > One substantive change since the last time around is the sandbox behavior > in > https://w3c.github.io/webappsec-secure-contexts/CR.html#monkey-patching-sandbox-flags, > which now defaults to forcing a sandboxed frame into "non-secure context" > status, and requires a new 'allow-secure-context' token to allow the > context to be treated as secure. It's not clear whether we can ship that > change; it's marked as "at risk" pending gathering some metrics. > > Note also that this document references WHATWG documents in a few places > where the W3C version is out of date. I'm sure we'll have some exciting > conversations about those references: > https://w3c.github.io/webappsec-secure-contexts/CR.html#index-defined-elsewhere > contains a complete list. > > The deadline for this CfC is in two weeks, on August 2nd. Feedback, both > positive and negative is welcome, either directly to the list, or via some > sort of clever emoji response to > https://github.com/w3c/webappsec-secure-contexts/issues/39. > > Thanks! > > -mike >
Received on Wednesday, 20 July 2016 21:19:12 UTC