Re: UPGRADE: 'HTTPS' header causing compatibility issues.

On Tue, Jun 30, 2015 at 4:26 PM, Richard Barnes <rbarnes@mozilla.com> wrote:
>
> If you happen to have a pointer handy, I would be interested to take a
> look at the history here.
>

https://github.com/w3c/webappsec/issues/216


> It does seem like Supported is different from Prefer.  It's more like
> Accept -- it's OK if you send me content that depends on $FEATURE.
>

I'll defer to people who know things about caching, but it seems like it
would end up in the same bucket as `Prefer` if it's possible to have more
than one supported value.


> Still, this is a totally reasonable direction to move in. If we're fine
>> with the length, then why not `upgrade-insecure-requests: Totally
>> supported! Gimmie that HTTPS, please.`
>>
>
> Adding header bloat to HTTP/1.1 seems like a feature, not a bug :)
>

I am totally going to use exactly this claim if/when I ever get around to
rekindling the origin cookie discussion, where I'm pretty sure you argued
exactly the opposite. :)


>  For h2 users, there should be no need to use this thing
>

Why not? I suspect mixed content will still exist for folks who migrate to
HTTP/2.

-mike

Received on Tuesday, 30 June 2015 19:01:38 UTC