W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Mike West <mkwst@google.com>
Date: Tue, 16 Dec 2014 06:40:26 +0100
Message-ID: <CAKXHy=drT-uxdLN+XjoHL_CMSnHDPedM3R00_O+ViK=4K47MwA@mail.gmail.com>
To: Ryan Sleevi <rsleevi@chromium.org>
Cc: Igor Bukanov <igor@mir2.org>, Daniel Veditz <dveditz@mozilla.com>, Michal Zalewski <lcamtuf@google.com>, Peter Bowen <pzbowen@gmail.com>, Chris Palmer <palmer@google.com>, Eduardo Robles Elvira <edulix@agoravoting.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Dec 16, 2014 at 6:35 AM, Ryan Sleevi <rsleevi@chromium.org> wrote:
> On Mon, Dec 15, 2014 at 9:29 PM, Igor Bukanov <igor@mir2.org> wrote:
>> On 15 December 2014 at 18:54, Daniel Veditz <dveditz@mozilla.com> wrote:
>>> Serve the HTML page over http: but load all sub-resources over https: as
>>> expected after the transition. Add the following header:
>>> Content-Security-Policy-Report-Only: default-src https:; report-uri <me>
>> This is a nice trick! However, it does not work in general due to the use
>> of protocolless-links starting with // . Or should those be discouraged?
> Sounds like a CSP-bug to me; scheme-relative URLs are awesome, and we
> should encourage them (over explicit http://-schemed URLs)

-lists other than public-webappsec@.

Nothing in CSP should prevent scheme-relative URLs from functioning; they
should resolve relative to the document in which they're embedded, and CSP
should block or allow them accordingly.

If that doesn't work, please file bugs. :)


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 16 December 2014 05:41:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC