- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 21 Sep 2015 19:29:12 +0200
- To: Mike West <mkwst@google.com>
- Cc: Jose Kahan <jose.kahan@w3.org>, Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Sep 21, 2015 at 2:06 PM, Mike West <mkwst@google.com> wrote: > On Mon, Sep 21, 2015 at 1:48 PM, Jose Kahan <jose.kahan@w3.org> wrote: >> We need a solution that will allow to assume all content is https, >> in perpetuity, without needing to upgrade all legacy content. > > That seems like an unfortunate design decision. I hope you'll change your > mind over time. :) Why? The header makes the two types of content identical. User agents not implementing the header will be considered broken in due course, just like user agents not supporting the Host header are today. I really don't think we should give folks the impression that one is better than the other long term, or worse, that the header might go away. That just harms adoption. -- https://annevankesteren.nl/
Received on Monday, 21 September 2015 17:29:37 UTC