Proposal for a MIX Level 2 roadmap.

Hey folks, as a bit of TPAC prework, Emily and I sketched out some things
we're thinking about for a second pass at the Mixed Content spec. We'd
really appreciate y'all taking some time to chew them over so we have
things to talk about in a ~week. :)

Details are at
https://github.com/mikewest/webappsec-mixed-content/blob/master/proposed-level-2-roadmap.md.
The TL;DR is that we think user agents should:

1.  Upgrade blockable mixed content to HTTPS by default rather than
blocking it.

2.  Treat optionally-blockable mixed content as blockable by default, with
an opt-in to status quo behavior.

3.  Deprecate and remove `Upgrade-Insecure-Requests` in favor of the above.

4.  Remove their user-facing blockable mixed content overrides.

Explicitly CCing some folks who I hope will be interested.

Thanks!

-mike

Received on Friday, 27 October 2017 07:07:58 UTC