- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 3 Feb 2015 10:21:50 +0100
- To: "Eduardo' Vela <Nava>" <evn@google.com>
- Cc: Mike West <mkwst@google.com>, Wendy Seltzer <wseltzer@w3.org>, Ryan Sleevi <sleevi@google.com>, Adam Langley <agl@google.com>, Peter Eckersley <pde@eff.org>, WebAppSec WG <public-webappsec@w3.org>
On Tue, Feb 3, 2015 at 10:18 AM, Eduardo' Vela" <Nava> <evn@google.com> wrote: > Would this enable the upgrade only? Without the STSing? > > Strict-Transport-Security: max-age=0; upgradeSubresources I think Mike was suggesting not to extend HSTS but instead use the presence of HSTS as a signal to upgrade all mixed content URLs within the document. It's not entirely clear to me if that is compatible with what is out there today. And if coupling it with HSTS helps adoption or makes it harder. -- https://annevankesteren.nl/
Received on Tuesday, 3 February 2015 09:22:17 UTC