W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: Rough sketch of directives for CSP 1.1

From: Tom Ritter <tom@ritter.vg>
Date: Thu, 3 May 2012 12:40:09 -0400
Message-ID: <CA+cU71=ij7mhOxuO1e1YjWNv_su3m4wF7TJNmYNuLiEgi65Ghw@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3 May 2012 12:19, Hill, Brad <bhill@paypal-inc.com> wrote:
> I think he's asking, if I list  "http://example.com", it should also allow "https://example.com".
>
> We discussed this at TPAC on Day 1.  The notes say that we decided that "example.com" (no scheme) implied both http and https, but explicitly listing a scheme doesn't imply automatic upgrade is allowed.

Exactly, thanks.  However, that doesn't seem to match the
implementation in Chrome, so I filed a bug against it. 126117[0]

-tom

[0] https://code.google.com/p/chromium/issues/detail?id=126117
Received on Thursday, 3 May 2012 16:40:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 3 May 2012 16:40:59 GMT