W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Testing W3C's HTTPS setup

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 21 Sep 2015 19:29:12 +0200
Message-ID: <CADnb78jVyWrXZJQy8O+OKf42LMYgP+b9x_1PG9Wrg5jVMgSS+A@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Jose Kahan <jose.kahan@w3.org>, Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Sep 21, 2015 at 2:06 PM, Mike West <mkwst@google.com> wrote:
> On Mon, Sep 21, 2015 at 1:48 PM, Jose Kahan <jose.kahan@w3.org> wrote:
>> We need a solution that will allow to assume all content is https,
>> in perpetuity, without needing to upgrade all legacy content.
>
> That seems like an unfortunate design decision. I hope you'll change your
> mind over time. :)

Why?

The header makes the two types of content identical. User agents not
implementing the header will be considered broken in due course, just
like user agents not supporting the Host header are today.

I really don't think we should give folks the impression that one is
better than the other long term, or worse, that the header might go
away. That just harms adoption.


-- 
https://annevankesteren.nl/
Received on Monday, 21 September 2015 17:29:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC