W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Igor Bukanov <igor@mir2.org>
Date: Tue, 16 Dec 2014 06:29:25 +0100
Message-ID: <CADd11yXRBBHrEN8GgzFU6-5vsBw++cb9XS5PPrAn20J5OGvkmw@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Michal Zalewski <lcamtuf@google.com>, Peter Bowen <pzbowen@gmail.com>, Chris Palmer <palmer@google.com>, Eduardo Robles Elvira <edulix@agoravoting.com>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>
On 15 December 2014 at 18:54, Daniel Veditz <dveditz@mozilla.com> wrote:

> Serve the HTML page over http: but load all sub-resources over https: as
> expected after the transition. Add the following header:
>
> Content-Security-Policy-Report-Only: default-src https:; report-uri <me>
>

This is a nice trick! However, it does not work in general due to the use
of protocolless-links starting with // . Or should those be discouraged?
Received on Tuesday, 16 December 2014 05:29:53 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC