W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: An HTTP->HTTPS upgrading strawman. (was Re: Upgrade mixed content URLs through HTTP header)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 4 Feb 2015 09:39:44 +0100
Message-ID: <CADnb78gV7RvZF_7svqd7Q9C76kGxQtXA+18gr-Sb2M0cSx-WqA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Crispin Cowan <crispin@microsoft.com>, Peter Eckersley <pde@eff.org>, Ryan Sleevi <sleevi@google.com>, "Eduardo' Vela" <evn@google.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Wed, Feb 4, 2015 at 9:20 AM, Mike West <mkwst@google.com> wrote:
> I suppose we could change the name from `upgrade-insecure-requests` to
> `upgrade-all-mixed-content`, but that would conceptually preclude using the
> directive on HTTP sites (as the content wouldn't actually be mixed). Perhaps
> that's not a bad thing, but since CSP itself works over HTTP, I don't think
> there's a good reason to deny this particular feature.

Fair. I imagined we would restrict it to secure contexts, but you're
right that there's no clear reason to do so.


-- 
https://annevankesteren.nl/
Received on Wednesday, 4 February 2015 08:40:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC