mixed content level 2 spec

Hi everyone,

We've been discussing what Mixed Content Level 2 might look like for quite
a while now. We finally got around to writing up a draft of a spec:
https://w3c.github.io/webappsec-mixed-content/level2.html

This document specifies that optionally-blockable content should be
upgraded to HTTPS, and blocked if the upgrade fails. We are also
experimenting with autoupgrading blockable content, though our priority is
to first ship autoupgrading for optionally-blockable content so that all
mixed content is upgraded or blocked by default.

We've had autoupgrading running as an experiment in Chrome for quite some
time, and it's now at 50% of beta channel. We're seeing somewhere in the
neighborhood of 1% of page loads with a broken subresource due to
autoupgrading. Therefore, we're working on a plan to ship autoupgrading
gradually, starting with less common resource types (audio, video) and
progressing to images. We hope to have more details to share regarding
timeline for shipping by TPAC.

Feedback welcome, here or on github!

Thanks,
Emily

Received on Thursday, 5 September 2019 02:23:10 UTC