- From: Domenic Denicola <notifications@github.com>
- Date: Mon, 27 Jul 2020 18:20:39 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/1062@github.com>
HTTPS state causes issues with the secure context definition, as discussed in https://github.com/whatwg/html/issues/4930#issuecomment-658124183. I've checked with folks on the Chrome side, and we no longer need the "deprecated" HTTPS state, so we can fix that issue. I'm willing to work on helping remove it. However, I need some guidance. Can we remove the "HTTPS state" concept entirely? I'm not sure. The usage sites I've found are: - [Secure context definition](https://html.spec.whatwg.org/#secure-context) only cares about "deprecated". So it won't use this. - [CORP check](https://fetch.spec.whatwg.org/#ref-for-concept-response-https-state%E2%91%A0) cares about "none". Could this use the response's URL's trustworthiness instead? - [Hyperlink auditing](https://html.spec.whatwg.org/#hyperlink-auditing) cares about "none". Could this use the Document's creation URL's trustworthiness instead? Or maybe it should be using an actual secure context check? All other references to HTTPS state in HTML and Fetch appear to be plumbing from responses to new environment settings objects. If we can't remove it, then: should we just keep the infrastructure as-is, and remove the "deprecated" state? Or maybe we should go further and rename things to make a bit more sense, e.g. change it to a "securely delivered" boolean? Are there other simplifications we could make? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1062
Received on Monday, 27 July 2020 18:20:53 UTC