W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [MIX] Interaction between HSTS and mixed content blocking

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 19 Nov 2014 22:22:06 +0100
Message-ID: <CADnb78ipOnFWiYDCrQW9nOH-OUbx0iAJQ3_dsuPDrt7WRDZ-Pw@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 19, 2014 at 10:07 PM, Brian Smith <brian@briansmith.org> wrote:
> The mixed content document should specify how http:// links for HSTS
> origins work: does the blocking happen before or after the internal
> redirect?

Per https://fetch.spec.whatwg.org/ it is after per suggestions from
HSTS' Jeff. This does not quite align with implementations. It's also
a bit unclear whether this is best, since it depends on which HSTS
domains you visited what the results will be. Perhaps we should make a
same-origin restriction here.

Received on Wednesday, 19 November 2014 21:22:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:43 UTC