Re: Proposal: Marking HTTP As Non-Secure from Igor Bukanov on 2014-12-16 (public-webappsec@w3.org from December 2014)

From: Igor Bukanov <igor@mir2.org>
Date: Tue, 16 Dec 2014 07:02:35 +0100
To: Mike West <mkwst@google.com>
Cc: Ryan Sleevi <rsleevi@chromium.org>, Daniel Veditz <dveditz@mozilla.com>, Michal Zalewski <lcamtuf@google.com>, Peter Bowen <pzbowen@gmail.com>, Chris Palmer <palmer@google.com>, Eduardo Robles Elvira <edulix@agoravoting.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADd11yVM+GDG+k8UtEQ6U4arN36C__D0xfXYneQn=dOTMiLRzw@mail.gmail.com>

On 16 December 2014 at 06:40, Mike West <mkwst@google.com> wrote:

>
> Nothing in CSP should prevent scheme-relative URLs from functioning; they
> should resolve relative to the document in which they're embedded, and CSP
> should block or allow them accordingly.
>
>
The idea is to use CSP reports to check if a site is ready for https switch
before the actual switch by insisting on https: protocol for all resources.
That does not work with scheme-relative URLs.

Received on Tuesday, 16 December 2014 06:03:02 UTC