Re: An HTTP->HTTPS upgrading strawman. (was Re: Upgrade mixed content URLs through HTTP header) from Eduardo' Vela\ on 2015-02-03 (public-webappsec@w3.org from February 2015)

From: Eduardo' Vela\ <evn@google.com>
Date: Tue, 3 Feb 2015 16:49:42 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, Ryan Sleevi <sleevi@google.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>, Peter Eckersley <pde@eff.org>
Message-ID: <CAFswPa92447p8bz=JBu6GT5Bda8apznNNBgidefPEvPUswB-Pg@mail.gmail.com>

I see, I thought that had changed recently (there was a discussion about
sites using CORS breaking when upgrading to SSL and that this shouldn't be
allowed). I guess this is OK then.

On Tue, Feb 3, 2015 at 4:47 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Feb 3, 2015 at 4:40 PM, Eduardo' Vela" <Nava> <evn@google.com>
> wrote:
> > I was hoping this would work as a *-src directive, since there are sites
> > that will (for ever) need to fetch http:// resources over XHR (eg,
> > Chromecast).
>
> That is blocked already. (XMLHttpRequest (CORS, more generally) does
> not allow for Mixed Content.) What am I missing?
>
>
> --
> https://annevankesteren.nl/
>

Received on Tuesday, 3 February 2015 15:50:31 UTC