Re: [spec-reviews] Strawman spec review for upgrade insecure requests (#54)

> +face when transitioning from plaintext HTTP to secure connections.
> +
> +### ISSUE: Goal 1 Unclear
> +
> +Section 1.1, Goal 1:
> +
> +> Authors should be able to ensure that all content requested by a given page
> +> loads successfully, and securely. Mixed content blocking should not break
> +> pages as a result of migrating to a secure origin.
> +
> +This seems somewhat too ambitious for the spec. If third-party content on
> +a page does not support HTTPS or stops supporting HTTPS, the page author cannot
> +ensure that the content is loaded securely or at all. Inevitably, moving to
> +a secure origin causes problems with mixed content blocking if the page has
> +third party content that doesn't yet support HTTPS, a problem which the spec
> +does not address.

It's meant to be read in context of the preceding paragraph of conditions: "If we assume that ... authors also ensure that content is accessible at the same host and path on a secure scheme, then ...".

---
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/spec-reviews/pull/54/files#r29033818

Received on Friday, 24 April 2015 08:58:26 UTC