On Tue, Feb 3, 2015 at 11:50 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Tue, Feb 3, 2015 at 11:16 AM, Mike West <mkwst@google.com> wrote: > > Let's say we introduce Eduardo's "upgrade-unsafe". What would you expect > it > > to do? > > > > I'd expect it to blindly rewrite first- and third-party HTTP images (and > > etc.) to HTTPS before fetching, which would simply fail for images > > unavailable over HTTPS. It's not clear to me that that's really worse > than > > the browser telling the user that the page is insecure, and it seems like > > different site authors would react differently. > > This is what I would expect. And from experience with deploying TLS on > whatwg.org and html5.org I know that we had made sure that the thirty > or so domains for in use (for both primary and subresources) supported > TLS. It was just an enormous hassle to make sure that the content also > matched that. If we had a header to upgrade the content deployment of > TLS would have gone a lot smoother. > My worry is that we're papering over the problem for newer clients, thereby removing incentive to fix the problem for existing clients. While I agree with Peter's earlier assertion that we shouldn't hold up progress, I think this is a concern we'd need to address in order to ensure that sites and applications remain as accessible as possible. Ensuring that CSP-Report-Only works correctly is important, for example. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 3 February 2015 10:54:07 UTC