W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] HSTS, SW and mixed-content

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 27 Jan 2015 16:22:54 +0100
Message-ID: <CADnb78hSL_ezBA2kpijaQiV97habANnoMxeFX3WZ+YhBSA14XQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Yves Lafon <ylafon@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Jan 27, 2015 at 4:08 PM, Mike West <mkwst@google.com> wrote:
> On Tue, Jan 27, 2015 at 3:49 PM, Yves Lafon <ylafon@w3.org> wrote:
>> Is the characterization of the potentially secure/a priori insecure URLs
>> done before or after applying HSTS URL rewriting?
> HSTS happens after mixed content checking. We've had a number of threads on
> this, and there are reasonable arguments on both sides, but this is, I
> think, where we've come down pretty solidly.

Note that the editor of HSTS preferred it the other way around, but
given that HSTS depends on a cache I think I've come around. File a
bug on Fetch to reorder them? Or are we going to wait until everything
is written in terms of Fetch?

Received on Tuesday, 27 January 2015 15:23:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC