Re: [spec-reviews] Strawman spec review for upgrade insecure requests (#54)

> +
> +Talking to other TAG members about the spec, it became apparent that some of us
> +thought the spec only applied upgrades to same-origin requests. I attribute
> +most of my confusion to the examples in Section 1.2. Example #1 uses the
> +example of `<img src="http://example.com/image.png">` being upgraded on
> +`https://example.com` and Example #2 explicitly says that `<a
> +href="http://not-example.com/">Home</a>` will *not* be upgraded on
> +`https://example.com`. It would be better if Example #1 explicitly said that
> +a third-party origin like `not-example.com` is upgradeable in that context, so
> +that readers don't generalize Example #2 to all requests.
> +
> +### CLARIFICATION: Wording in Terminology
> +
> +The wording "depend on the upgrade-insecure-requests mechanism" in Section 2 is
> +unclear. It seems to mean something like, "the same with and without
> +upgrade-insecure-requests" from context, but I'm not sure.

https://github.com/w3c/webappsec/commit/7deb537c8d855ab561c2adbeca66b4b6d9576c25#diff-917460852b1399c109de636d4062669d

---
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/spec-reviews/pull/54/files#r29786286

Received on Wednesday, 6 May 2015 18:19:42 UTC