W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

[MIX] Interaction between HSTS and mixed content blocking

From: Brian Smith <brian@briansmith.org>
Date: Wed, 19 Nov 2014 13:07:50 -0800
Message-ID: <CAFewVt7f7XZ+pBy06jBHrSLMHBKiUP29Zvx7B7BHesvfZPmbdg@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
The mixed content document should specify how http:// links for HSTS
origins work: does the blocking happen before or after the internal
redirect?

See Henri Sivonen's comment here:
https://bugzilla.mozilla.org/show_bug.cgi?id=838395#c11

In particular, see the message he cited, regarding how browsers'
current behavior is problematic for w3.org:
http://lists.w3.org/Archives/Public/www-tag/2014Nov/0033.html

I lean toward what Henri suggested: developer tools should make noise,
but the browser should do the redirect to the HTTPS origin instead of
blocking.

Cheers,
Brian
Received on Wednesday, 19 November 2014 21:08:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC