Ok. If no one strenuously objects by the time I wake up, I'll poke at the
spec with `upgrade-non-secure` in mind tomorrow.
-mike
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
On Wed, Jul 8, 2015 at 7:53 PM, Richard Barnes <rbarnes@mozilla.com> wrote:
>
>
> On Wed, Jul 8, 2015 at 10:48 AM, Brian Smith <brian@briansmith.org> wrote:
>
>> On Wed, Jul 8, 2015 at 1:08 PM, Richard Barnes <rbarnes@mozilla.com>
>> wrote:
>>
>>> On Wed, Jul 8, 2015 at 9:29 AM, Martin Thomson <martin.thomson@gmail.com
>>> > wrote:
>>>
>>>> On 8 July 2015 at 07:53, Mike West <mkwst@google.com> wrote:
>>>> > `upgrade-insecure-requests: 1`, going once, going twice...
>>>>
>>>>
>>>> OK, I'll bite. -requests seems unnecessarily verbose. I mean, yes,
>>>> we do want to be precise and clear, but `upgrade-insecure` seems
>>>> enough; though only if you also change the CSP directive name I
>>>> suppose.
>>>>
>>>
>>> Please, let's just have the header name match the directive name.
>>>
>>
>> I agree it is better to have it match the directive name. However, I also
>> think it would be fine to rename the CSP directive to "upgrade-insecure" or
>> (better) "upgrade-non-secure".
>>
>> Consider the case of ws:// to wss:// upgrade. No "requests" are involved.
>> Also, for HTTP -> HTTPS, the mechanism also indirectly upgrades the
>> responses. So "-requests" seems not so good irrespective of the HTTP header
>> field naming issue.
>>
>
> WFM
>
>
>>
>> Cheers,
>> Brian
>>
>
>