- From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Date: Wed, 11 Feb 2015 14:33:59 -0500
- To: Brad Hill <hillbrad@gmail.com>, Mike West <mkwst@google.com>
- Cc: Jim Manico <jim.manico@owasp.org>, Crispin Cowan <crispin@microsoft.com>, "public-webappsec\@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, Peter Eckersley <pde@eff.org>, yan zhu <yan@mit.edu>
On Wed 2015-02-11 13:24:21 -0500, Brad Hill wrote: > Thanks, Mike, that looks good. Should we promote the following note (or > new language to indicate the same) from section 4.1 to the > goals/introduction? > > Note: We allow only same-origin upgrades in order to ensure that > navigations between pages of a single site that has opted-into the upgrade > behavior remain on HTTPS, regardless of the hard-coded values in <a> tags. > Performing upgrades for third-party resources brings a significantly higher > potential for breakage, so we’re avoiding it for the moment. This note is intended to be limited to navigation upgrades, right? In that case, the last sentense should begin with something like: Performing upgrades for navigations to third-party resources... ^^^^^^^^^^^^^^ Otherwise it implies that when https://example.com/ has an <img src="http://example.org/"/> this feature won't have an effect, which would miss the point. --dkg
Received on Wednesday, 11 February 2015 19:34:16 UTC