Re: Upgrade mixed content URLs through HTTP header

On Fri, Feb 6, 2015 at 6:39 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> 2) how to upgrade it to https (possibly via a directive
>
or via JS). I was focusing on the latter when talking about
> ServiceWorkers. I guess it doesn't help in cases where you don't
> actually support HTTPS in some obscure origin and thus can't upgrade
> automatically.
>

We currently do mixed content (and CSP) checks before sending the request
to the Service Worker. I'm not sure it would be a good idea to restructure
that to wait for the SW to potentially rewrite the request. Also, the
timing seems problematic. You can't register a SW until you're on an HTTPS
page, at which point it't too late to start upgrading its requests.

I think a CSP-based solution has some advantages here, but I guess I
wouldn't be opposed to explaining it in terms of service workers if there's
a good way of doing so. +Alex, who probably has opinions about SW's
applicability.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Friday, 6 February 2015 05:58:23 UTC