Re: An HTTP->HTTPS upgrading strawman. (was Re: Upgrade mixed content URLs through HTTP header)

On Tue, Feb 3, 2015 at 11:58 PM, Crispin Cowan <crispin@microsoft.com> wrote:
> It seems to me that there are 2 big scenarios that server admins are likely
> to want:
>
> ·         Strict: e.g. I’m a bank, I don’t ever want cleartext anything
> floating around, so every byte should be HSTS.
>
> ·         Opportunistic: I’m a mashup, so I want to make a best effort by
> having all the bytes from my site be encrypted, but don’t know or control
> what protocols are going on with sites that are mashed into mine.

I think there are three:

1. As is. Mixed Content is not touched.

2. Upgrade. Mixed Content URLs will be altered to use HTTP over TLS.

3. Block. All Mixed Content results in a network error.

We recently added 3. We already have 1 (just do nothing). This adds 2.
We might want to make the syntax a bit more related, but I'll leave
that up to Mike.


(Non-form top-level navigation needs to be excluded as Mixed Content
does not touch that. Links would break.)


-- 
https://annevankesteren.nl/

Received on Wednesday, 4 February 2015 08:14:16 UTC