- From: Mike West <notifications@github.com>
- Date: Fri, 24 Apr 2015 02:00:51 -0700
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
- Message-ID: <w3ctag/spec-reviews/pull/54/r29034012@github.com>
> +ensure that the content is loaded securely or at all. Inevitably, moving to > +a secure origin causes problems with mixed content blocking if the page has > +third party content that doesn't yet support HTTPS, a problem which the spec > +does not address. > + > +### ISSUE: Same-Origin vs Cross-Origin Behavior Unclear in Examples > + > +Talking to other TAG members about the spec, it became apparent that some of us > +thought the spec only applied upgrades to same-origin requests. I attribute > +most of my confusion to the examples in Section 1.2. Example #1 uses the > +example of `<img src="http://example.com/image.png">` being upgraded on > +`https://example.com` and Example #2 explicitly says that `<a > +href="http://not-example.com/">Home</a>` will *not* be upgraded on > +`https://example.com`. It would be better if Example #1 explicitly said that > +a third-party origin like `not-example.com` is upgradeable in that context, so > +that readers don't generalize Example #2 to all requests. Totally agree. Filed https://github.com/w3c/webappsec/issues/301 --- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/spec-reviews/pull/54/files#r29034012
Received on Friday, 24 April 2015 09:01:28 UTC