Re: [w3c/ServiceWorker] Should mixed content always be blocked? (#813)

> The Mixed Content check happens at an earlier stage, that's why that happens. I think you are correct that theoretically it could be made to work. I recommend using https://w3c.github.io/webappsec-upgrade-insecure-requests/ to work around this.

Yes, I presumed it was, but am curious why...but, yeah.
Re the 'webappsec-upgrade' reference, if I read it correctly, it would seem like it's not viable:

https://w3c.github.io/webappsec-upgrade-insecure-requests/#goals

We have two servers, one is a cloudfront URL serving https from an s3 bucket (which always serves http); the other is an API endpoint that has also been upgraded to https (probably using cloudfront). So, our servers are all set up to serve https, but the code has hard-coded http references.
It looks to me like `Content-Security-Policy: upgrade-insecure-requests` will help with the S3 files, but not the API calls.

Is my understanding correct? It's all quite a lot to take in, tbh - but I'll read it all and see if I can grok it.

...or should I ask for both servers to send that header and it'll fix it? (NB, I'm front-end, so I need to communicate this to a back-end engineer). Maybe it's something that's easy just to try.

I should also point out that said b/e engineer has managed to recreate the project from map files and node-modules content etc (it's not an old project, just lost the git repo so only have built production code). So, I am balancing the desire to get something up quickly and getting a 'proper' solution later, against resigning myself to no 'quick solution' and putting all effort into the 'proper solution'. As such, feel free to advise accordingly.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/813#issuecomment-1047552606
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/ServiceWorker/issues/813/1047552606@github.com>