- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 2 Feb 2015 16:39:15 +0100
- To: Mike West <mkwst@google.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Mon, Feb 2, 2015 at 4:35 PM, Mike West <mkwst@google.com> wrote: > Would the effect of the header be equivalent to running `s/http:/https:/g` > on the HTML? That is, at parse time, we would transparently replace > `http://example.com/test.png` twith`https://example.com/test.png`? Equivalent, but not identical. My proposal would be to upgrade in Fetch similar to HSTS so that any scripts are not affected by URLs changing. > Or would this be similar to strict mixed content checking mode, blocking the > requests without degrading the UI? It would not be similar as we would attempt to fetch these resources over TLS. Having said that, I don't understand why strict mixed content would result in UI degradation. If we don't actually do something that causes harm to the user (such as fetching mixed content images), we shouldn't alert them about it. -- https://annevankesteren.nl/
Received on Monday, 2 February 2015 15:39:39 UTC