W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Igor Bukanov <igor@mir2.org>
Date: Tue, 16 Dec 2014 07:02:35 +0100
Message-ID: <CADd11yVM+GDG+k8UtEQ6U4arN36C__D0xfXYneQn=dOTMiLRzw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Ryan Sleevi <rsleevi@chromium.org>, Daniel Veditz <dveditz@mozilla.com>, Michal Zalewski <lcamtuf@google.com>, Peter Bowen <pzbowen@gmail.com>, Chris Palmer <palmer@google.com>, Eduardo Robles Elvira <edulix@agoravoting.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 16 December 2014 at 06:40, Mike West <mkwst@google.com> wrote:

>
> Nothing in CSP should prevent scheme-relative URLs from functioning; they
> should resolve relative to the document in which they're embedded, and CSP
> should block or allow them accordingly.
>
>
The idea is to use CSP reports to check if a site is ready for https switch
before the actual switch by insisting on https: protocol for all resources.
That does not work with scheme-relative URLs.
Received on Tuesday, 16 December 2014 06:03:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC