- From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Date: Tue, 17 Mar 2015 15:39:22 -0400
- To: Brad Hill <hillbrad@gmail.com>, Mike West <mkwst@google.com>
- Cc: Peter Eckersley <pde@eff.org>, "public-webappsec\@w3.org" <public-webappsec@w3.org>, Eric Mill <eric@konklone.com>
On Tue 2015-03-17 13:10:50 -0400, Brad Hill wrote:
> Remember this isn't just about user agents. A specifically motivating use
> case is sites that need to access data that is only available over http
> from legacy origins which are perhaps mostly-unmaintained and may take a
> very long time to get with the https program.
>
> In such cases, it is ideal to provide an application owner a way to get
> user-agent assistance in rewriting links automatically from http->https,
> a-la-HSTS, but not simultaneously force entire origins to be exclusively
> available over https, since they may need to occasionally send users to an
> application loaded from http in order that it might access insecure
> third-party data at legacy endpoints.
But it *is* about user agents. If a site needs to access data itself
(without a user agent involved) it can do so with whatever policy it
wants.
--dkg
Received on Tuesday, 17 March 2015 19:39:52 UTC