- From: Yan Zhu <notifications@github.com>
- Date: Wed, 06 May 2015 13:18:30 -0700
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
- Message-ID: <w3ctag/spec-reviews/pull/54/r29797526@github.com>
> + > +### IDEA: Allow Sites to Signal That They Are Upgradeable Resources > + > +One downside of fetch (and Firefox/Chrome's implementation of mixed content > +blocking) is that HSTS is applied after mixed content blocking has happened. So > +sites that are known to support HTTPS are *still* blocked. > + > +This spec allows a site to indicate that its subresouces should be upgraded. > +However, there is still no way for a site to say, "Upgrade me when I am > +a subresource, because I know I support HTTPS." > + > +## End Notes > + > +This draft is a very welcome move towards better handling of mixed content > +blocking. However, in its current form, it entirely depends on the *embedding* > +site setting the CSP header. We would like to see ways for the *embedded* sites >From TAG telecon, May 6: @mikewest suggests that this is better accomplished by talking to the HSTS folks to get HSTS to run before mixed content checks. This is somewhat difficult to implement in Chrome, but it seems better not to have a separate mechanism just for this. --- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/spec-reviews/pull/54/files#r29797526
Received on Wednesday, 6 May 2015 20:18:57 UTC