Re: Proposal: Marking HTTP As Non-Secure

On Tue, Dec 16, 2014 at 6:35 AM, Ryan Sleevi <rsleevi@chromium.org> wrote:
>
>
>
> On Mon, Dec 15, 2014 at 9:29 PM, Igor Bukanov <igor@mir2.org> wrote:
>>
>> On 15 December 2014 at 18:54, Daniel Veditz <dveditz@mozilla.com> wrote:
>>
>>> Serve the HTML page over http: but load all sub-resources over https: as
>>> expected after the transition. Add the following header:
>>>
>>> Content-Security-Policy-Report-Only: default-src https:; report-uri <me>
>>>
>>
>> This is a nice trick! However, it does not work in general due to the use
>> of protocolless-links starting with // . Or should those be discouraged?
>>
>>
> Sounds like a CSP-bug to me; scheme-relative URLs are awesome, and we
> should encourage them (over explicit http://-schemed URLs)
>

-lists other than public-webappsec@.

Nothing in CSP should prevent scheme-relative URLs from functioning; they
should resolve relative to the document in which they're embedded, and CSP
should block or allow them accordingly.

If that doesn't work, please file bugs. :)

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Tuesday, 16 December 2014 05:41:15 UTC