Re: Proposal: Marking HTTP As Non-Secure from Igor Bukanov on 2014-12-16 (public-webappsec@w3.org from December 2014)

From: Igor Bukanov <igor@mir2.org>
Date: Tue, 16 Dec 2014 07:27:34 +0100
To: Brad Hill <hillbrad@gmail.com>
Cc: Mike West <mkwst@google.com>, Ryan Sleevi <rsleevi@chromium.org>, Daniel Veditz <dveditz@mozilla.com>, Michal Zalewski <lcamtuf@google.com>, Peter Bowen <pzbowen@gmail.com>, Chris Palmer <palmer@google.com>, Eduardo Robles Elvira <edulix@agoravoting.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADd11yWT8b3VEzvGyU-gDh_OX1Bwqsuk3EooD6DxD59eMOAghw@mail.gmail.com>

On 16 December 2014 at 07:09, Brad Hill <hillbrad@gmail.com> wrote:

> If resources are scheme relative, they will point towards https when the
> resource is https. (and work in CSP with an https: scheme policy)  So no
> brokenness.

Surely CSP is not broken. It is just it is less useful then it could be.
One cannot use CSP report-only to check what happens if the site is served
over https: while continuing to serve it over http:. By insisting on https:
protocol in CSP all scheme-relative URL would generate false positives.

Received on Tuesday, 16 December 2014 06:28:01 UTC