Re: [fetch] Exempt HSTS-upgraded resources from mixed content blocking (#150) from Mike West on 2015-11-05 (public-webapps-github@w3.org from November 2015)

From: Mike West <notifications@github.com>
Date: Thu, 05 Nov 2015 05:13:17 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/150/154056325@github.com>

For clarity: I want this in Fetch. I don't think I have time to drive it.  The document I've started is just an explainer that I can point people to who aren't familiar with Fetch.

For credentials: don't we already need a new connection to move from port 80 to port 443? Or am I missing your concern?

For navigation: see http://mikewest.github.io/hsts-priming/#open-questions. I'm not sure there's any real value in doing so, since it doesn't actually close the initial window of attack.

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/150#issuecomment-154056325

Received on Thursday, 5 November 2015 13:13:50 UTC