- From: Mike West <notifications@github.com>
- Date: Thu, 23 Apr 2015 21:15:41 -0700
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
Received on Friday, 24 April 2015 04:16:08 UTC
> + > +As mentioned in 6.2, there is a security issue if a document is able to get > +violation reports for cross-origin nested documents (iframes, etc.) which > +inherit upgrade policy. So if a nested document does not specify its reporting > +endpoint, do all reports from the nested document get blocked? > + > +### IDEA: Cache/Pin Successful Upgrades > + > +Thinking about the broader goal of encrypting the web, it would be nice if > +user agents could remember which subresources have been successfully upgraded > +through this mechanism. That way, on a page that has not set the CSP header, > +the known-upgradeable subresources could be upgraded anyway. > + > +### IDEA: Allow Sites to Signal That They Are Upgradeable Resources > + > +One downside of fetch (and Firefox/Chrome's implementation of mixed content (And IE11. And Opera. And Safari's warnings, though it doesn't actually support mixed content blocking.) --- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/spec-reviews/pull/54/files#r29022765
Received on Friday, 24 April 2015 04:16:08 UTC