- From: Mike West <mkwst@google.com>
- Date: Fri, 26 Sep 2014 14:26:55 +0200
- To: Anne van Kesteren <annevk@annevk.nl>, Ryan Sleevi <sleevi@google.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
Received on Friday, 26 September 2014 12:27:42 UTC
+sleevi On Fri, Sep 26, 2014 at 2:24 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Fri, Sep 26, 2014 at 2:15 PM, Mike West <mkwst@google.com> wrote: > > Yes, I think that's true. > > Perhaps Gecko's stance that HSTS rewriting happens after Mixed Content > is correct. At least for non-same-origin HSTS. :-( > That's how Chrome implements it, actually. Ryan, et al, are dead-set against moving HSTS before mixed content checking, as he claims (correctly) that HSTS only protects those browsers that support it. If we don't throw errors, we're throwing Safari and IE users under a bus. -mike
Received on Friday, 26 September 2014 12:27:42 UTC