- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 13 Nov 2014 10:55:37 +0100
- To: Mike West <mkwst@google.com>
- Cc: David Dorwin <ddorwin@google.com>, Brian Smith <brian@briansmith.org>, Mark Watson <watsonm@netflix.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Nov 13, 2014 at 10:50 AM, Mike West <mkwst@google.com> wrote: > But if offering such a thing lead to Netflix and other media providers > migrating everything but video distribution over to HTTPS, and allows us to > lock down APIs with dangerous characteristics (like EME and WebCrypto) to a > document whose ancestor chain is all HTTPS, then it's probably worth > considering, at least in the short run. Are we actually blocking fetch()'s no CORS mode? Or is that allowed to cross the HTTPS to HTTP boundary? I guess it would have to be allowed otherwise using service workers would break sites that depend on HTTP assets, but allowing it also seems rather shitty. -- https://annevankesteren.nl/
Received on Thursday, 13 November 2014 09:56:04 UTC