- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 2 Feb 2015 16:54:05 +0100
- To: Mike West <mkwst@google.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>, Ryan Sleevi <sleevi@google.com>, Adam Langley <agl@google.com>
On Mon, Feb 2, 2015 at 4:47 PM, Mike West <mkwst@google.com> wrote: > On Mon, Feb 2, 2015 at 4:39 PM, Anne van Kesteren <annevk@annevk.nl> wrote: >> Equivalent, but not identical. My proposal would be to upgrade in >> Fetch similar to HSTS so that any scripts are not affected by URLs >> changing. > > Hrm. So the result would be the same as a redirect? The document would have > an insecure URL, but we'd end up making a secure request? Somewhat and yes. (Redirect seems like the wrong analogy since there's no insecurity involved.) > That said, I'm not sure it actually solves W3C's concern, as it would leave > legacy clients out in the cold. The only way to support clients that don't > support the thing we haven't implemented yet would be to alter the links at > the source. I totally understand that that's difficult, but it seems > essential. Yeah, this would only work if all browsers upgrade (or enough for sites to start using it). So it would help with the long tail of non-TLS properties, not those at the forefront. -- https://annevankesteren.nl/
Received on Monday, 2 February 2015 15:54:28 UTC