On Wed 2015-02-11 08:25:18 -0500, Mike West wrote:
> As we've discussed in other threads, I think user agents can and
> should experiment with automagically upgrading insecure blockable
> content, quite apart from whatever behavior we allow sites to
> opt-into. Those pages are already broken, so breaking them in a
> different way isn't particularly risky.
I agree with this. If the practice of auto-upgrading blockable content
becomes common (either de facto or via MIX2, should that happen), then
being able to use CSP reporting is still a good reason for this feature.
Perhaps something could be said in this draft about the interaction
between CSP reporting and automatic upgrades of blockable content?
Alternately, we could use this draft to specify three possible values
for upgrade-insecure-requests:
none - no automatic upgrades
blockable - automatic upgrades of blockable mixed content
all - automatic upgrades of all mixed content
and set blockable to be the default. This would allow sites that want
to avoid these upgrades (why? i don't know) to do so by issuing a CSP
with upgrade-insecure-requests=none.
--dkg