- From: Yves Lafon <notifications@github.com>
- Date: Mon, 28 Aug 2023 04:48:41 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 28 August 2023 11:48:48 UTC
> Regarding a HTTP response header: We considered this when we were first proposing HTTPS-Upgrades but decided against it. An "opt-out" header is roughly equivalent to the site serving an HTTP downgrade redirect or just rejecting the HTTPS request (not responding on HTTPS or sending a reset) -- both will trigger the automatic fallback to HTTP. For sites that _explicitly_ don't support HTTPS, we would recommend they serve a downgrade redirect. For the long-tail of sites that won't modify their configs, the new header wouldn't help. I don't see this as an opt-out, more an indication that content served through `https` and `http` are not the same, so that if an optimistic upgrade to `https` is done, the browser is aware that it's not the same content. Also it is not a downgrade (as there is no redirect involved) For sites that don't support `https` well, then optimistic upgrade shouldn't work, no redirect to `http` (as in that case it means they support it), unless by don't support you mean have broken configuration, like widely outdated cert, or self-signed one. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/853#issuecomment-1695555176 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/853/1695555176@github.com>
Received on Monday, 28 August 2023 11:48:48 UTC