On Wed, Nov 19, 2014 at 1:07 PM, Brian Smith <brian@briansmith.org> wrote: > I lean toward what Henri suggested: developer tools should make noise, > but the browser should do the redirect to the HTTPS origin instead of > blocking. Chrome applies mixed-content rules before HSTS redirects are considered and it's unlikely that we would change that. Otherwise sites randomly work or not based on whether the profile has previously visited (and thus remembered HSTS for) an origin. Also, it leaves mixed-content issues to bite people using browsers that don't implement HSTS (and possibly allow dangerous loads). Cheers AGLReceived on Wednesday, 19 November 2014 21:31:02 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC