W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: UPGRADE: Do we need granular control?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 12 Aug 2015 15:34:52 +0200
Message-ID: <CADnb78iDUoTH_5k4SwAEX-y2wHMqgdns-e1tr=00Lmmuk8Q38g@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Yan Zhu <yan@eff.org>, Alex Russell <slightlyoff@google.com>
On Mon, Aug 10, 2015 at 10:59 PM, Brad Hill <hillbrad@gmail.com> wrote:
> I think that we could call it done and think about adding just
> 'upgrade-insecure-navigations' to a Level 2.  I think it is beneficial to
> have that scope expansion available as extra behavior, but I don't see any
> good use cases to formally "decompose" upgrade-insecure-resources out of the
> existing behavior. (where it could only be used to weaken mixed content
> fetching, which we don't want to do and won't necessarily ever produce good
> results)

Agreed. And I think we should only consider new features here if we
find examples (as we did with upgrade-insecure-requests) of sites that
would use this to migrate to HTTPS.

Received on Wednesday, 12 August 2015 13:35:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC