- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 23 Oct 2014 17:06:30 +0200
- To: Mike West <mkwst@google.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Oct 23, 2014 at 4:24 PM, Mike West <mkwst@google.com> wrote: > 1. We're not blocking all requests from SHA-1 laden servers, just those that > are subresources of non-SHA-1-laden HTTPS documents. So we need to have > mixed content checking logic down in Blink somewhere; we can't just blindly > kill the request entirely. So I guess whether something is weakly authenticated should first be exposed on a response. And then propagated by the navigate and run a worker algorithms somehow for environment settings objects. -- https://annevankesteren.nl/
Received on Thursday, 23 October 2014 15:06:58 UTC