I do believe the lack of integrity protection in plaintext transfer is an
important security consideration for immutable that suggests they should
not be used together. I'm open to other wording on it for sure.. https://
might be sufficient here.
On Fri, Oct 28, 2016 at 12:50 PM, Alex Rousskov <
rousskov@measurement-factory.com> wrote:
> On 10/26/2016 03:02 PM, Patrick McManus wrote:
>
> > o Clients should ignore immutable for resources that are not part of
> > a secure context [SECURECONTEXTS].
>
> Please think of the children^H^H^H^H proxies. AFAICT, "secure contexts"
> are currently a user agent concept. If the above "should" is meant to be
> a "SHOULD", then the draft automatically disqualifies most proxies from
> legally utilizing this promising "ignore reload" mechanism.
>
>
> Thank you,
>
> Alex.
>
>