Re: [SRI] Escaping mixed-content blocking for video distribution

On Thu, Nov 13, 2014 at 10:50 AM, Mike West <mkwst@google.com> wrote:
> But if offering such a thing lead to Netflix and other media providers
> migrating everything but video distribution over to HTTPS, and allows us to
> lock down APIs with dangerous characteristics (like EME and WebCrypto) to a
> document whose ancestor chain is all HTTPS, then it's probably worth
> considering, at least in the short run.

Are we actually blocking fetch()'s no CORS mode? Or is that allowed to
cross the HTTPS to HTTP boundary? I guess it would have to be allowed
otherwise using service workers would break sites that depend on HTTP
assets, but allowing it also seems rather shitty.


-- 
https://annevankesteren.nl/

Received on Thursday, 13 November 2014 09:56:04 UTC