- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 19 Nov 2014 13:30:23 -0800
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 19, 2014 at 1:22 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Wed, Nov 19, 2014 at 10:07 PM, Brian Smith <brian@briansmith.org> wrote: >> The mixed content document should specify how http:// links for HSTS >> origins work: does the blocking happen before or after the internal >> redirect? > > Per https://fetch.spec.whatwg.org/ it is after per suggestions from > HSTS' Jeff. Sounds good. > This does not quite align with implementations. I think you mean "this is the opposite of what implementations do." Are there two implementations interested in changing this? > It's also > a bit unclear whether this is best, since it depends on which HSTS > domains you visited what the results will be. Perhaps we should make a > same-origin restriction here. I'm not sure I understand. The fact that HSTS state accumulates and is lost over time affects every fetch, not just mixed content fetches. Cheers, Brian
Received on Wednesday, 19 November 2014 21:30:49 UTC