Re: Proposal: Marking HTTP As Non-Secure

On 15 December 2014 at 18:54, Daniel Veditz <> wrote:

> Serve the HTML page over http: but load all sub-resources over https: as
> expected after the transition. Add the following header:
> Content-Security-Policy-Report-Only: default-src https:; report-uri <me>

This is a nice trick! However, it does not work in general due to the use
of protocolless-links starting with // . Or should those be discouraged?

Received on Tuesday, 16 December 2014 05:29:53 UTC