W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [MIX] Interaction between HSTS and mixed content blocking

From: Adam Langley <agl@google.com>
Date: Wed, 19 Nov 2014 13:30:15 -0800
Message-ID: <CAL9PXLzztWWq11-hdEjCohm5mn7qKBFFze2TjmZHCxkk6Rg4tA@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 19, 2014 at 1:07 PM, Brian Smith <brian@briansmith.org> wrote:
> I lean toward what Henri suggested: developer tools should make noise,
> but the browser should do the redirect to the HTTPS origin instead of
> blocking.

Chrome applies mixed-content rules before HSTS redirects are
considered and it's unlikely that we would change that.

Otherwise sites randomly work or not based on whether the profile has
previously visited (and thus remembered HSTS for) an origin.

Also, it leaves mixed-content issues to bite people using browsers
that don't implement HSTS (and possibly allow dangerous loads).


Cheers

AGL
Received on Wednesday, 19 November 2014 21:31:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC