Hey folks, as a bit of TPAC prework, Emily and I sketched out some things
we're thinking about for a second pass at the Mixed Content spec. We'd
really appreciate y'all taking some time to chew them over so we have
things to talk about in a ~week. :)
Details are at
https://github.com/mikewest/webappsec-mixed-content/blob/master/proposed-level-2-roadmap.md.
The TL;DR is that we think user agents should:
1. Upgrade blockable mixed content to HTTPS by default rather than
blocking it.
2. Treat optionally-blockable mixed content as blockable by default, with
an opt-in to status quo behavior.
3. Deprecate and remove `Upgrade-Insecure-Requests` in favor of the above.
4. Remove their user-facing blockable mixed content overrides.
Explicitly CCing some folks who I hope will be interested.
Thanks!
-mike