- From: Mike West <mkwst@google.com>
- Date: Tue, 27 Jan 2015 16:08:02 +0100
- To: Yves Lafon <ylafon@w3.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=dRDWEcfTE2S1wMLZk5DBNzWqcQhChDgC48GtGX8QRWmQ@mail.gmail.com>
Copy/pasting from the GitHub issue: On Tue, Jan 27, 2015 at 3:49 PM, Yves Lafon <ylafon@w3.org> wrote: > > Is the characterization of the potentially secure/a priori insecure URLs > done before or after applying HSTS URL rewriting? HSTS happens after mixed content checking. We've had a number of threads on this, and there are reasonable arguments on both sides, but this is, I think, where we've come down pretty solidly. https://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0306.html and related is the most recent, most relevant thread. > The same question goes if the request is handled by a ServiceWorker (and > in fact anything that is impacting resource fetching). > Service workers happen after an initial round of mixed content checking. That is, we see a request for X, we evaluate it against mixed content checking at the top of Fetch, and then, if it passes, it moves into the service worker for processing (where it will again be subject to mixed content checks). Thanks! -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 27 January 2015 15:08:50 UTC