Re: Upgrade mixed content URLs through HTTP header

On Tue, Feb 3, 2015 at 10:47 AM, Ryan Sleevi <> wrote:
> I'm not sure I follow this, so apologies for not fully keeping up with the
> shifting thread. When extended to third-party resources, if I embed an HTTP
> image from a third-party origin on a site with HSTS, it will load but
> degrade UI. If I auto-upgrade that other origin to HTTPS, it will fail to
> load - that does seem considerably worse, doesn't it?


I think we have learned over time that coupling is bad and makes
adoption harder. Which I think means that we should offer a way to do
this without also opting into other features.

Therefore a new CSP directive (assuming that does not opt you into
other CSP features) or standalone header to upgrade URLs that would
otherwise be considered mixed content seems more effective.


Received on Tuesday, 3 February 2015 09:56:30 UTC