- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 19 Nov 2014 13:29:10 +0100
- To: Yves Lafon <ylafon@w3.org>
- Cc: Mike West <mkwst@google.com>, T Undecl <ted@w3.org>, "SULLIVAN, BRYAN L" <bs3131@att.com>, Daniel Appelquist <appelquist@gmail.com>, TAG List <www-tag@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Jeff Hodges <Jeff.Hodges@kingsmountain.com>
On Wed, Nov 19, 2014 at 1:20 PM, Yves Lafon <ylafon@w3.org> wrote: > So if the behaviour in https://bugzilla.mozilla.org/show_bug.cgi?id=838395 > is intentional to force people to upgrade references, it is still > problematic to display a warning that is untrue. I recommend making this case on the WebAppSec mailing list. Fetch currently requires that mixed content is not triggered in this case. It seems the W3C would also be helped by some kind of HTTPS override for certain links on a page delivered through an HTTP header. After all, HSTS only helps if the user has an HSTS cache entry. If you have a pointer from www.w3.org to lists.w3.org the latter might not have such a cache entry yet and would not be rewritten. Being able to tell a user agent in advance which URLs found in a given resource can be upgraded to HTTPS might be a valuable thing (scoped to that resource, of course). > Even worse than that, if https://www.example.com/ refers to > https://www.example.com/asset/foo, then https://www.example.com/asset/foo is > redirected to http://www.example.com/asset/foo, then the icon basically says > that everything was securely transferred, which was NOT the case. Is that an > intentional behaviour? :) Testcase? If that's actually what happens that would be a serious bug. -- https://annevankesteren.nl/
Received on Wednesday, 19 November 2014 12:29:39 UTC