On Mon, Sep 21, 2015 at 10:53 AM, Eric Mill <eric@konklone.com> wrote:
>
> On Mon, Sep 21, 2015 at 1:33 PM, Richard Barnes <rbarnes@mozilla.com>
> wrote:
>
>>
>>
>> On Mon, Sep 21, 2015 at 1:29 PM, Anne van Kesteren <annevk@annevk.nl>
>> wrote:
>>
>>> On Mon, Sep 21, 2015 at 2:06 PM, Mike West <mkwst@google.com> wrote:
>>> > On Mon, Sep 21, 2015 at 1:48 PM, Jose Kahan <jose.kahan@w3.org> wrote:
>>> >> We need a solution that will allow to assume all content is https,
>>> >> in perpetuity, without needing to upgrade all legacy content.
>>> >
>>> > That seems like an unfortunate design decision. I hope you'll change
>>> your
>>> > mind over time. :)
>>>
>>> Why?
>>>
>>> The header makes the two types of content identical. User agents not
>>> implementing the header will be considered broken in due course, just
>>> like user agents not supporting the Host header are today.
>>>
>>> I really don't think we should give folks the impression that one is
>>> better than the other long term, or worse, that the header might go
>>> away. That just harms adoption.
>>>
>>
>> +1
>>
>> Once we're in a world where we can apply a "universal HSTS" policy,
>> there's no reason to continue hating on "http:" URIs.
>>
>
> Sure, but that world is a long ways away, much longer than the W3C should
> wait to start demonstrating leadership with HTTPS/HSTS on w3.org.
>
Can't +1 this hard enough.