- From: Mike West <notifications@github.com>
- Date: Thu, 23 Apr 2015 21:18:51 -0700
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
- Message-ID: <w3ctag/spec-reviews/pull/54/r29022846@github.com>
> + > +Talking to other TAG members about the spec, it became apparent that some of us > +thought the spec only applied upgrades to same-origin requests. I attribute > +most of my confusion to the examples in Section 1.2. Example #1 uses the > +example of `<img src="http://example.com/image.png">` being upgraded on > +`https://example.com` and Example #2 explicitly says that `<a > +href="http://not-example.com/">Home</a>` will *not* be upgraded on > +`https://example.com`. It would be better if Example #1 explicitly said that > +a third-party origin like `not-example.com` is upgradeable in that context, so > +that readers don't generalize Example #2 to all requests. > + > +### CLARIFICATION: Wording in Terminology > + > +The wording "depend on the upgrade-insecure-requests mechanism" in Section 2 is > +unclear. It seems to mean something like, "the same with and without > +upgrade-insecure-requests" from context, but I'm not sure. This is meant to encompass sites which would be broken over HTTPS in browsers that don't support the upgrade mechanism (due to mixed content blocking, for instance). How would you suggest making that clearer? --- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/spec-reviews/pull/54/files#r29022846
Received on Friday, 24 April 2015 04:19:17 UTC