On Thu, Nov 13, 2014 at 10:55 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > Are we actually blocking fetch()'s no CORS mode? Or is that allowed to > cross the HTTPS to HTTP boundary? I guess it would have to be allowed > otherwise using service workers would break sites that depend on HTTP > assets, but allowing it also seems rather shitty. It's not clear to me where we ended up in that conversation. My suggestion was that we allow requests based on the request context: if the user agent would block script, then block insecure script requests from a SW. If the user agent would display images, don't block insecure image requests from a SW. Whether we'd degrade the UI for every page using the SW or just the page making the insecure request is probably an open question . -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 13 November 2014 10:17:17 UTC