Proposal for a MIX Level 2 roadmap. from Mike West on 2017-10-27 (public-webappsec@w3.org from October 2017)

From: Mike West <mkwst@google.com>
Date: Fri, 27 Oct 2017 09:07:15 +0200
To: public-webappsec@w3.org, Emily Stark <estark@google.com>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Peter Eckersley <pde@eff.org>, Brad Hill <hillbrad@gmail.com>
Message-ID: <CAKXHy=fsLb+335LFfhQpWM9zYFiGPURrdcg-v5y=m2JCJRpw9A@mail.gmail.com>

Hey folks, as a bit of TPAC prework, Emily and I sketched out some things
we're thinking about for a second pass at the Mixed Content spec. We'd
really appreciate y'all taking some time to chew them over so we have
things to talk about in a ~week. :)

Details are at
https://github.com/mikewest/webappsec-mixed-content/blob/master/proposed-level-2-roadmap.md.
The TL;DR is that we think user agents should:

1.  Upgrade blockable mixed content to HTTPS by default rather than
blocking it.

2.  Treat optionally-blockable mixed content as blockable by default, with
an opt-in to status quo behavior.

3.  Deprecate and remove `Upgrade-Insecure-Requests` in favor of the above.

4.  Remove their user-facing blockable mixed content overrides.

Explicitly CCing some folks who I hope will be interested.

Thanks!

-mike

Received on Friday, 27 October 2017 07:07:58 UTC