- From: John Wilander <notifications@github.com>
- Date: Fri, 27 Sep 2019 05:57:23 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 27 September 2019 12:57:45 UTC
> https://w3c.github.io/webappsec-mixed-content/level2.html does help and would thwart the attack described on the WebKit blog. Attackers could still play with navigations, but that's much more visible. As pointed out by Matt, auto upgrade of passive mixed content only fixes the problem on HTTPS pages. HSTS super cookies still work on HTTP pages. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/920#issuecomment-535927830
Received on Friday, 27 September 2019 12:57:45 UTC