Re: Proposal: Marking HTTP As Non-Secure from Ryan Sleevi on 2014-12-16 (public-webappsec@w3.org from December 2014)

From: Ryan Sleevi <rsleevi@chromium.org>
Date: Mon, 15 Dec 2014 21:35:26 -0800
To: Igor Bukanov <igor@mir2.org>
Cc: Daniel Veditz <dveditz@mozilla.com>, Michal Zalewski <lcamtuf@google.com>, Peter Bowen <pzbowen@gmail.com>, Chris Palmer <palmer@google.com>, Eduardo Robles Elvira <edulix@agoravoting.com>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>
Message-ID: <CACvaWvbUv9XKYp0nq-tzcD2om7wGvajiHSPRHuBicq2h6sEJdQ@mail.gmail.com>

On Mon, Dec 15, 2014 at 9:29 PM, Igor Bukanov <igor@mir2.org> wrote:
>
> On 15 December 2014 at 18:54, Daniel Veditz <dveditz@mozilla.com> wrote:
>
>> Serve the HTML page over http: but load all sub-resources over https: as
>> expected after the transition. Add the following header:
>>
>> Content-Security-Policy-Report-Only: default-src https:; report-uri <me>
>>
>
> This is a nice trick! However, it does not work in general due to the use
> of protocolless-links starting with // . Or should those be discouraged?
>
>
Sounds like a CSP-bug to me; scheme-relative URLs are awesome, and we
should encourage them (over explicit http://-schemed URLs)

Received on Tuesday, 16 December 2014 05:35:53 UTC