- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 28 Jul 2015 19:36:48 +0200
- To: Brian Smith <brian@briansmith.org>
- Cc: Mike West <mkwst@google.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Dan Veditz <dveditz@mozilla.com>, Kristijan Burnik <burnik@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Alex Russell <slightlyoff@google.com>, Ryan Sleevi <sleevi@google.com>
On Tue, Jul 28, 2015 at 7:24 PM, Brian Smith <brian@briansmith.org> wrote: > In particular, it is unclear to me what prevents a service worker from > returning a response retrieved over http:// in response to an https:// > request. That would be Mixed Content (and I suppose it won't always disallow that). > Is that specified in the service workers spec, the fetch spec, or > this spec? Where in which spec? In general security checks for requests and responses are in Fetch, which calls out to various algorithms in CSP (yet to be written), HSTS, Mixed Content, Referrer Policy, Integrity, ... -- https://annevankesteren.nl/
Received on Tuesday, 28 July 2015 17:37:13 UTC