- From: Mike West <mkwst@google.com>
- Date: Thu, 12 Feb 2015 08:35:57 +0100
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Peter Eckersley <pde@eff.org>, Eric Mill <eric@konklone.com>, Jacob S Hoffman-Andrews <jsha@eff.org>
On Thu, Feb 12, 2015 at 7:57 AM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 12 February 2015 at 17:51, Mike West <mkwst@google.com> wrote: >> 2. Moreover, there's no harm in redirecting _all_ non-HTML/non-Worker >> requests to HTTPS, is there? That would simplify server-side logic. :) > > > That's a bold assertion. So, for resource fetching with GET, you can > cause no harm on the protocol end, so go for broke. Sure. > You can only do that if the method is safe and idempotent, but I think > that is as far as you intended to go anyway. The upgrade strawman we're discussing intends to act on form submissions as well. To what extent do you expect upgrading from HTTP to HTTPS for non-idempotent methods to be dangerous? -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 12 February 2015 07:36:44 UTC