- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 27 Jan 2015 16:22:54 +0100
- To: Mike West <mkwst@google.com>
- Cc: Yves Lafon <ylafon@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Jan 27, 2015 at 4:08 PM, Mike West <mkwst@google.com> wrote: > On Tue, Jan 27, 2015 at 3:49 PM, Yves Lafon <ylafon@w3.org> wrote: >> Is the characterization of the potentially secure/a priori insecure URLs >> done before or after applying HSTS URL rewriting? > > HSTS happens after mixed content checking. We've had a number of threads on > this, and there are reasonable arguments on both sides, but this is, I > think, where we've come down pretty solidly. Note that the editor of HSTS preferred it the other way around, but given that HSTS depends on a cache I think I've come around. File a bug on Fetch to reorder them? Or are we going to wait until everything is written in terms of Fetch? -- https://annevankesteren.nl/
Received on Tuesday, 27 January 2015 15:23:18 UTC