Re: [spec-reviews] Strawman spec review for upgrade insecure requests (#54)

> +
> +As mentioned in 6.2, there is a security issue if a document is able to get
> +violation reports for cross-origin nested documents (iframes, etc.) which
> +inherit upgrade policy. So if a nested document does not specify its reporting
> +endpoint, do all reports from the nested document get blocked?
> +
> +### IDEA: Cache/Pin Successful Upgrades
> +
> +Thinking about the broader goal of encrypting the web, it would be nice if
> +user agents could remember which subresources have been successfully upgraded
> +through this mechanism. That way, on a page that has not set the CSP header,
> +the known-upgradeable subresources could be upgraded anyway.
> +
> +### IDEA: Allow Sites to Signal That They Are Upgradeable Resources
> +
> +One downside of fetch (and Firefox/Chrome's implementation of mixed content

:'(

---
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/spec-reviews/pull/54/files#r29079592

Received on Friday, 24 April 2015 19:47:21 UTC