Re: CSP: non-TLS scheme restrictions must allow TLS-enabled schemes automatically

Adam Barth wrote:
> Maybe the better solution is to remove the ability to specify the
> "http" scheme? The site can explain which host names it likes. Over
> "http", these hosts names mean http or https and over "https" they
> mean just https.

That is more elegant, but it would mean that a document delivered over HTTP(S) could never have any non-HTTP(s) subresources. In particular, what about ftp(s):// resources? Also, I am not sure it is a good idea to drop the ability for a page delivered over (non-TLS) HTTP to restrict certain kinds of subresources (e.g. scripts or objects) to being loaded over HTTPS.

- Brian

Received on Monday, 27 June 2011 18:39:36 UTC