On Mon, Jan 5, 2015 at 1:45 PM, Chris Palmer <palmer@google.com> wrote: > On Mon, Jan 5, 2015 at 1:32 PM, Mark Watson <watsonm@netflix.com> wrote: > > > How about if a page could declare, in the first HTML page that is > > downloaded, that it intends to use mixed content. In this case the UX is > > made identical to an http page, though under the covers HTTPS is used for > > many of the resources. > > > > In the case where the user explicitly typed "https://..." or clicked on > a > > link that was explicitly visible as https, you might want to show an > > explicit warning. But most of the time users are just typing the domain > > name, getting redirected from the http:// version or clicking on search > > engine results (where visible indication of https could be suppressed for > > such sites). > > The burden is not on users to declare they want security. > > The burden is on site operators — who at least nominally have the > knowledge and the ability — to provide at least the bare minimum. > Sure, but I was addressing the question of whether there was a way to allow mixed content without giving misleading indications to users. A site that is almost entirely HTTPS, but with HTTP used to retrieve some data resources, seems to be better than having the site entirely HTTP, no ? My suggestion is that the appropriate UX in that case is the same as an HTTP site, even though the security properties might be better. My second paragraph was entirely a pre-emptive response to the point that *some users* do explicitly ask for security - by explicitly typing HTTPS - and so one should be careful not just to downgrade them without warning. ...Mark
Received on Monday, 5 January 2015 21:51:29 UTC