On Tue, Feb 3, 2015 at 10:56 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> Therefore a new CSP directive (assuming that does not opt you into
>
other CSP features) or standalone header to upgrade URLs that would
> otherwise be considered mixed content seems more effective.
>
Let's say we introduce Eduardo's "upgrade-unsafe". What would you expect it
to do?
I'd expect it to blindly rewrite first- and third-party HTTP images (and
etc.) to HTTPS before fetching, which would simply fail for images
unavailable over HTTPS. It's not clear to me that that's really worse than
the browser telling the user that the page is insecure, and it seems like
different site authors would react differently.
An alternative would be to rewrite first-party requests only. Would that
address enough of the problem to be worth offering?
-mike
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)