On Mon, Sep 21, 2015 at 10:53 AM, Eric Mill <eric@konklone.com> wrote: > > On Mon, Sep 21, 2015 at 1:33 PM, Richard Barnes <rbarnes@mozilla.com> > wrote: > >> >> >> On Mon, Sep 21, 2015 at 1:29 PM, Anne van Kesteren <annevk@annevk.nl> >> wrote: >> >>> On Mon, Sep 21, 2015 at 2:06 PM, Mike West <mkwst@google.com> wrote: >>> > On Mon, Sep 21, 2015 at 1:48 PM, Jose Kahan <jose.kahan@w3.org> wrote: >>> >> We need a solution that will allow to assume all content is https, >>> >> in perpetuity, without needing to upgrade all legacy content. >>> > >>> > That seems like an unfortunate design decision. I hope you'll change >>> your >>> > mind over time. :) >>> >>> Why? >>> >>> The header makes the two types of content identical. User agents not >>> implementing the header will be considered broken in due course, just >>> like user agents not supporting the Host header are today. >>> >>> I really don't think we should give folks the impression that one is >>> better than the other long term, or worse, that the header might go >>> away. That just harms adoption. >>> >> >> +1 >> >> Once we're in a world where we can apply a "universal HSTS" policy, >> there's no reason to continue hating on "http:" URIs. >> > > Sure, but that world is a long ways away, much longer than the W3C should > wait to start demonstrating leadership with HTTPS/HSTS on w3.org. > Can't +1 this hard enough.
Received on Tuesday, 22 September 2015 21:25:35 UTC