Re: Proposal: Marking HTTP As Non-Secure

On Mon, Dec 15, 2014 at 9:29 PM, Igor Bukanov <igor@mir2.org> wrote:
>
> On 15 December 2014 at 18:54, Daniel Veditz <dveditz@mozilla.com> wrote:
>
>> Serve the HTML page over http: but load all sub-resources over https: as
>> expected after the transition. Add the following header:
>>
>> Content-Security-Policy-Report-Only: default-src https:; report-uri <me>
>>
>
> This is a nice trick! However, it does not work in general due to the use
> of protocolless-links starting with // . Or should those be discouraged?
>
>
Sounds like a CSP-bug to me; scheme-relative URLs are awesome, and we
should encourage them (over explicit http://-schemed URLs)

Received on Tuesday, 16 December 2014 05:35:53 UTC