- From: Chris Palmer <palmer@google.com>
- Date: Wed, 10 Dec 2014 16:43:36 -0800
- To: David Walp <David.Walp@microsoft.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Dec 10, 2014 at 2:32 PM, David Walp <David.Walp@microsoft.com> wrote: > 1) Section 2.2, TLS-protected & Weakly TLS-protected (and throughout the > spec). > > There appears to be an assumption the only environment is the internet and > that intranet environments are not addressed. We think this would be > addressed by adding wording in section 2.2 that stated User agents are free > to interpret protection with in a trusted environment. How should a UA programmatically and unambiguously determine that the page's origin is served from an intranet server? What about passive and active attackers on the intranet? Why create ambiguity in the user's overall browsing experience? Why create an affordance for not fixing mixed content bugs?
Received on Thursday, 11 December 2014 00:44:03 UTC