- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 3 Feb 2015 10:56:06 +0100
- To: Ryan Sleevi <sleevi@google.com>
- Cc: Mike West <mkwst@google.com>, "Eduardo' Vela" <evn@google.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>, Peter Eckersley <pde@eff.org>
On Tue, Feb 3, 2015 at 10:47 AM, Ryan Sleevi <sleevi@google.com> wrote: > I'm not sure I follow this, so apologies for not fully keeping up with the > shifting thread. When extended to third-party resources, if I embed an HTTP > image from a third-party origin on a site with HSTS, it will load but > degrade UI. If I auto-upgrade that other origin to HTTPS, it will fail to > load - that does seem considerably worse, doesn't it? Agreed. I think we have learned over time that coupling is bad and makes adoption harder. Which I think means that we should offer a way to do this without also opting into other features. Therefore a new CSP directive (assuming that does not opt you into other CSP features) or standalone header to upgrade URLs that would otherwise be considered mixed content seems more effective. -- https://annevankesteren.nl/
Received on Tuesday, 3 February 2015 09:56:30 UTC