- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 4 Feb 2015 09:13:52 +0100
- To: Crispin Cowan <crispin@microsoft.com>
- Cc: Mike West <mkwst@google.com>, Peter Eckersley <pde@eff.org>, Ryan Sleevi <sleevi@google.com>, "Eduardo' Vela" <evn@google.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Tue, Feb 3, 2015 at 11:58 PM, Crispin Cowan <crispin@microsoft.com> wrote: > It seems to me that there are 2 big scenarios that server admins are likely > to want: > > · Strict: e.g. I’m a bank, I don’t ever want cleartext anything > floating around, so every byte should be HSTS. > > · Opportunistic: I’m a mashup, so I want to make a best effort by > having all the bytes from my site be encrypted, but don’t know or control > what protocols are going on with sites that are mashed into mine. I think there are three: 1. As is. Mixed Content is not touched. 2. Upgrade. Mixed Content URLs will be altered to use HTTP over TLS. 3. Block. All Mixed Content results in a network error. We recently added 3. We already have 1 (just do nothing). This adds 2. We might want to make the syntax a bit more related, but I'll leave that up to Mike. (Non-form top-level navigation needs to be excluded as Mixed Content does not touch that. Links would break.) -- https://annevankesteren.nl/
Received on Wednesday, 4 February 2015 08:14:16 UTC