Re: Proposal: Marking HTTP As Non-Secure

On 16 December 2014 at 07:09, Brad Hill <> wrote:

> If resources are scheme relative, they will point towards https when the
> resource is https. (and work in CSP with an https: scheme policy)  So no
> brokenness.

Surely CSP is not broken. It is just it is less useful then it could be.
One cannot use CSP report-only to check what happens if the site is served
over https: while continuing to serve it over http:. By insisting on https:
protocol in CSP all scheme-relative URL would generate false positives.

Received on Tuesday, 16 December 2014 06:28:01 UTC