Re: Proposal: Marking HTTP As Non-Secure from Brad Hill on 2014-12-16 (public-webappsec@w3.org from December 2014)

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 16 Dec 2014 06:09:39 +0000
To: Igor Bukanov <igor@mir2.org>, Mike West <mkwst@google.com>
Cc: Ryan Sleevi <rsleevi@chromium.org>, Daniel Veditz <dveditz@mozilla.com>, Michal Zalewski <lcamtuf@google.com>, Peter Bowen <pzbowen@gmail.com>, Chris Palmer <palmer@google.com>, Eduardo Robles Elvira <edulix@agoravoting.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8izhVz=Pd5Ps8wm6dXnd+KXtF2UoHvPbHHw-pgVjiQYjw@mail.gmail.com>

If resources are scheme relative, they will point towards https when the
resource is https. (and work in CSP with an https: scheme policy)  So no
brokenness.

On Mon Dec 15 2014 at 10:05:21 PM Igor Bukanov <igor@mir2.org> wrote:

> On 16 December 2014 at 06:40, Mike West <mkwst@google.com> wrote:
>
>>
>> Nothing in CSP should prevent scheme-relative URLs from functioning; they
>> should resolve relative to the document in which they're embedded, and CSP
>> should block or allow them accordingly.
>>
>>
> The idea is to use CSP reports to check if a site is ready for https
> switch before the actual switch by insisting on https: protocol for all
> resources. That does not work with scheme-relative URLs.
>
>

Received on Tuesday, 16 December 2014 06:10:09 UTC