Re: Reminder regarding normative references

On Wed, Oct 7, 2015 at 9:30 AM, Steve Faulkner wrote: > hi mike, i think you will find your example is in the W3C HTML 5.1: > > http://www.w3.org/TR/html51/webappapis.html#creation-url > > not saying there aren't other examples that would be concrete. > I am pleasantly

Re: Reminder regarding normative references

On Wed, Oct 7, 2015 at 12:44 AM, Wendy Seltzer wrote: > A reminder that has come up in some recent transition calls: When moving > a spec to Candidate Recommendation, we look to see that the normative > references are to documents of equivalent stability[1] -- ideally, also >

CfC: Transition "Secure Contexts" to CR; deadline October 1st.

nced terms are available for review at https://w3c.github.io/webappsec/specs/powerfulfeatures/#index-defined-elsewhere . The deadline for this CfC is one week from today, October 1st. As always, explicit (positive!) feedback to public-webapp...@w3.org is appreciated! -- Mike West <mk...@google.co

Normative references to Workers.

rs/ [4]: https://w3c.github.io/workers/ -- Mike West <mk...@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores

Secure Contexts: It's worth taking another look.

ithub.com/w3c/webappsec/issues/406> is probably the most interesting of these. I'd appreciate feedback on the document, either on public-webapp...@w3.org, or via GitHub at https://github.com/w3c/webappsec/issues/new?title=SECURE:%20 -- Mike West <mk...@google.com>, @mikewest Google Germany

Re: Permissions API vs local APIs

to check with a single consistent style seems like the right way to go. -- Mike West mk...@google.com, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine

Re: Privileged context features and JavaScript

I'd be fine with this, if it's what folks end up preferring. That said, throwing/rejecting gives us the opportunity to explain to a developer _why_ her favorite API isn't available. It's not clear how we'd help them understand what's going on if we just remove the API entirely. Consider

Re: CORS performance

. Brad's .well-known suggestion is interesting. I'm worried about the latency impacts, but it's probably worth exploring what it would take to add this kind of thing to the Manifest spec (or some same-origin-limited version thereof). -mike -- Mike West mk...@google.com, @mikewest Google Germany

Re: Clarification of CSP sandbox and workers

of the other flags would be useful, though. Ian, WDYT? -mike -- Mike West mk...@google.com Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg

Re: RfC: WebAppSec's Last Call Working Draft of Mixed Content; deadline December 11

) you want WebApps to review, please let us know. http://www.w3.org/TR/2014/WD-mixed-content-20141113/#powerful-features is certainly very relevant to various specs WebApps is considering. Review and comments there would be helpful. -- Mike West mk...@google.com Google+: https://mkw.st

[Credential Management]: Tiny prototype to play around with.

/public-webapps/2014JulSep/0141.html [2]: http://lists.w3.org/Archives/Public/public-web-security/2014Oct/0009.html -- Mike West mk...@google.com Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und

Re: Looking for a home for a proposed Credential Management API.

a new a new CG (although I suppose there could be some confusion with Manu's Credentials CG http://www.w3.org/community/credentials/). I guess that's an option. -- Mike West mk...@google.com Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH

Looking for a home for a proposed Credential Management API.

be the right place for short-term incubation). Brad suggested that an authentication WG might be spun up out of the conversations in the recent WebCrypto workshop. Are there concrete plans for such a group? Thanks! -mike -- Mike West mk...@google.com Google+: https://mkw.st/+, Twitter

Re: Proposal for a credential management API.

forms of credentials. It currently defines local and federated credentials broadly, and vaguely. In spirit, at least, it's following Mozilla's position paper's call for a box implementations can go in, and is extensible by design. -- Mike West mk...@google.com Google+: https://mkw.st/+, Twitter

Re: Proposal for a credential management API.

complex than IDP's general pick an IDP, then grant access flows. I'd like to support both, for what it's worth. -mike -- Mike West mk...@google.com Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und

Re: Proposal for a credential management API.

that it actually gets used. I agree that this is paramount. -- Mike West mk...@google.com Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft

Re: Proposal for User Agent Augmented Authorization

to `authenticate` by defining suitable attributes in an IDP manifest, as sketched out at http://projects.mikewest.org/credentialmanagement/spec/#identity-provider-manifest . -mike -- Mike West mk...@google.com Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH

Write-only form fields (was Re: Proposal for a credential management API.)

submission. I'm pretty happy to break that use case, given that the credential API I've proposed is locked to secure origins. There's no advantage to using WebCrypto to doubly encrypt the password in this context, and I don't think it's something we should encourage. Thanks! -- Mike West mk

Re: Write-only form fields (was Re: Proposal for a credential management API.)

requiring the site to hold passwords in plaintext. Is that the kind of use case you're considering? -- Mike West mk...@google.com Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB

Re: Write-only form fields (was Re: Proposal for a credential management API.)

Thanks Jacob! On Fri, Aug 1, 2014 at 6:48 PM, Jacob S Hoffman-Andrews j...@eff.org wrote: I think the CSP directive is unnecessary and makes things more fragile. The 'protect this credential from XSS' attribute should be a property of a stored credential, not a web site. If the site has the

Proposal for a credential management API.

the proposal. Thanks in advance for your feedback, suggestions, and time. :) -mike -- Mike West mk...@google.com Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz

Re: CSP 1.1 DOM design

that on the assumption that this interface required less knowledge of CSP in order to usefully include on a page. Should we revisit that question? Thanks again! -- Mike West mk...@google.com, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter