- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Thu, 12 Feb 2015 17:57:00 +1100
- To: Mike West <mkwst@google.com>
- Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Peter Eckersley <pde@eff.org>, Eric Mill <eric@konklone.com>, Jacob S Hoffman-Andrews <jsha@eff.org>
On 12 February 2015 at 17:51, Mike West <mkwst@google.com> wrote: > 2. Moreover, there's no harm in redirecting _all_ non-HTML/non-Worker > requests to HTTPS, is there? That would simplify server-side logic. :) That's a bold assertion. So, for resource fetching with GET, you can cause no harm on the protocol end, so go for broke. You can only do that if the method is safe and idempotent, but I think that is as far as you intended to go anyway.
Received on Thursday, 12 February 2015 06:57:28 UTC