Ok. If no one strenuously objects by the time I wake up, I'll poke at the spec with `upgrade-non-secure` in mind tomorrow. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Wed, Jul 8, 2015 at 7:53 PM, Richard Barnes <rbarnes@mozilla.com> wrote: > > > On Wed, Jul 8, 2015 at 10:48 AM, Brian Smith <brian@briansmith.org> wrote: > >> On Wed, Jul 8, 2015 at 1:08 PM, Richard Barnes <rbarnes@mozilla.com> >> wrote: >> >>> On Wed, Jul 8, 2015 at 9:29 AM, Martin Thomson <martin.thomson@gmail.com >>> > wrote: >>> >>>> On 8 July 2015 at 07:53, Mike West <mkwst@google.com> wrote: >>>> > `upgrade-insecure-requests: 1`, going once, going twice... >>>> >>>> >>>> OK, I'll bite. -requests seems unnecessarily verbose. I mean, yes, >>>> we do want to be precise and clear, but `upgrade-insecure` seems >>>> enough; though only if you also change the CSP directive name I >>>> suppose. >>>> >>> >>> Please, let's just have the header name match the directive name. >>> >> >> I agree it is better to have it match the directive name. However, I also >> think it would be fine to rename the CSP directive to "upgrade-insecure" or >> (better) "upgrade-non-secure". >> >> Consider the case of ws:// to wss:// upgrade. No "requests" are involved. >> Also, for HTTP -> HTTPS, the mechanism also indirectly upgrades the >> responses. So "-requests" seems not so good irrespective of the HTTP header >> field naming issue. >> > > WFM > > >> >> Cheers, >> Brian >> > >
Received on Wednesday, 8 July 2015 18:12:52 UTC