On Thu, Feb 12, 2015 at 5:26 PM, Julian Reschke <julian.reschke@gmx.de>
wrote:
> Nitpicking on the field name; how about:
>
> Prefer: encrypted
>
> (that at least avoids a new header field name, and already has a
> well-defined syntax and extensibility model).
Hey, look at that. It's exactly what I was looking for. :)
I've added https://w3c.github.io/webappsec/specs/upgrade/#feature-detect,
which defines a `return=secure-representation` preference. I'd like to
avoid the topic of whether or not OE would meet the level of "encrypted",
and piggybacking on the existing `return` preference seems reasonable.
To Anne's point, I've suggested that user agents should only send the
header when requesting insecure resources. That is, we'd allow easy feature
detection for upgrades, but we wouldn't provide the same clarity around
downgrades. Does that seem like a reasonable compromise?
-mike
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft:
Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)