- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 19 Nov 2014 13:07:50 -0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
The mixed content document should specify how http:// links for HSTS origins work: does the blocking happen before or after the internal redirect? See Henri Sivonen's comment here: https://bugzilla.mozilla.org/show_bug.cgi?id=838395#c11 In particular, see the message he cited, regarding how browsers' current behavior is problematic for w3.org: http://lists.w3.org/Archives/Public/www-tag/2014Nov/0033.html I lean toward what Henri suggested: developer tools should make noise, but the browser should do the redirect to the HTTPS origin instead of blocking. Cheers, Brian
Received on Wednesday, 19 November 2014 21:08:18 UTC