7171 < h1 class ="p-name no-ref " id ="title "> Upgrade Insecure Requests</ h1 >
7272
7373 < h2 class ="no-num no-toc no-ref heading settled " id ="subtitle "> < span class ="content "> Editor’s Draft,
74- < time class ="dt-updated " datetime ="2015-08-10 " > 10 August 2015</ time > </ span > </ h2 >
74+ < time class ="dt-updated " datetime ="2015-08-12 " > 12 August 2015</ time > </ span > </ h2 >
7575
7676 < div data-fill-with ="spec-metadata ">
7777 < dl >
@@ -85,7 +85,6 @@ <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="cont
8585 < dd > < span > < a href ="
mailto:[email protected] ?subject=%5Bupgrade-insecure-requests%5D%20YOUR%20TOPIC%20HERE "
> [email protected] </ a > with subject line “
< kbd > [upgrade-insecure-requests]
< var > … message topic …
</ var > </ kbd > ” (
< a href ="
http://lists.w3.org/Archives/Public/public-webappsec/ "
rel ="
discussion "
> archives
</ a > )
</ span > 8686 < dt > Issue Tracking:
8787 < dd > < a href ="https://github.com/w3c/webappsec/issues/ "> GitHub</ a >
88- < dd > < a href ="#issues-index "> Inline In Spec</ a >
8988 < dt class ="editor "> Editor:
9089 < dd class ="
editor p-author h-card vcard "
data-editor-id ="
56384 "
> < a class ="
p-name fn u-email email "
href ="
mailto:[email protected] "
> Mike West
</ a > (
< span class ="
p-org org "
> Google Inc.
</ span > )
9190 </ dl >
@@ -237,7 +236,6 @@ <h2 class="no-num no-toc no-ref heading settled" id="contents"><span class="cont
237236 < li > < a href ="#normative "> < span class ="secno "> </ span > < span class ="content "> Normative References</ span > </ a >
238237 < li > < a href ="#informative "> < span class ="secno "> </ span > < span class ="content "> Informative References</ span > </ a >
239238 </ ul >
240- < li > < a href ="#issues-index "> < span class ="secno "> </ span > < span class ="content "> Issues Index</ span > </ a >
241239 </ ul > </ div >
242240
243241 < main >
@@ -838,15 +836,6 @@ <h3 class="heading settled" data-level="3.1" id="delivery"><span class="secno">3
838836 default-src https:; report-uri /endpoint</ code > . See < a href ="#reporting-upgrades "> §3.4 Reporting Upgrades</ a >
839837 for additional detail.</ p >
840838
841-
842- < p class ="issue " id ="issue-c64cf7d1 "> < a class ="self-link " href ="#issue-c64cf7d1 "> </ a > In
843- < a href ="https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0042.html "> a thread on public-webappsec@</ a > ,
844- Peter Eckersley suggested modifying this to allow whitelisting specific hosts,
845- rather than upgrading everything: "That way, if you have N third parties
846- on a site, and (say) two of them provide images only, and don’t support
847- HTTPS at all, you can use the upgrade mechanism for scripts on the other
848- N - 2 origins." < a href ="https://github.com/w3c/webappsec/issues/184 "> <https://github.com/w3c/webappsec/issues/184> </ a > </ p >
849-
850839
851840 < h4 class ="heading settled " data-level ="3.1.1 " id ="mix "> < span class ="secno "> 3.1.1. </ span > < span class ="content "> Relation to "Mixed Content"</ span > < a class ="self-link " href ="#mix "> </ a > </ h4 >
852841
@@ -892,7 +881,8 @@ <h4 class="heading settled" data-level="3.2.1" id="preference"><span class="secn
892881 </ span > < a class ="self-link " href ="#preference "> </ a > </ h4 >
893882
894883
895- < p > The < dfn data-dfn-type ="dfn " data-export ="" data-local-lt ="Upgrade-Insecure-Requests header field " id ="upgrade_insecure_requests-http-request-header-field ">
884+ < p > The < dfn data-dfn-type ="dfn " data-export ="" data-local-lt ="Upgrade-Insecure-Requests header field " data-lt ="Upgrade-Insecure-Requests HTTP request header
885+ field " id ="upgrade_insecure_requests-http-request-header-field ">
896886 < code > Upgrade-Insecure-Requests</ code > HTTP request header
897887 field< a class ="self-link " href ="#upgrade_insecure_requests-http-request-header-field "> </ a > </ dfn > sends a signal to the server expressing the client’s preference
898888 for an encrypted and authenticated response, and that it can successfully
@@ -1156,18 +1146,14 @@ <h3 class="heading settled" data-level="3.3" id="nesting"><span class="secno">3.
11561146
11571147 </ ol >
11581148
1159-
1160-
1161- < p class ="issue " id ="issue-61dd79e9 "> < a class ="self-link " href ="#issue-61dd79e9 "> </ a > Monkey patching. :(</ p >
1162-
11631149
11641150
11651151
11661152 </ ol >
11671153
11681154
1169- < p class ="issue " id =" issue-9721e5e6 " > < a class =" self-link " href =" #issue-9721e5e6 " > </ a > The WHATWG HTML spec is significantly clearer here than < a data-link-type =" biblio " href =" #biblio-workers " > [WORKERS] </ a > .
1170- Hope that doesn’t cause problems when transitioning to CR .</ p >
1155+ < p class ="note " role =" note " > Note: We’re using the WHATWG HTML spec’s definition of Worker algorithms, as
1156+ they’re significantly more clear on these points than < a data-link-type =" biblio " href =" #biblio-workers " > [WORKERS] </ a > .</ p >
11711157
11721158
11731159 < h3 class ="heading settled " data-level ="3.4 " id ="reporting-upgrades "> < span class ="secno "> 3.4. </ span > < span class ="content "> Reporting Upgrades</ span > < a class ="self-link " href ="#reporting-upgrades "> </ a > </ h3 >
@@ -1915,17 +1901,5 @@ <h3 class="no-num heading settled" id="informative"><span class="content">Inform
19151901 < dt id ="biblio-nyt-https "> < a class ="self-link " href ="#biblio-nyt-https "> </ a > [NYT-HTTPS]
19161902 < dd > Eitan Konigsburg; Rajiv Pant; Elena Kvochko. < a href ="http://open.blogs.nytimes.com/2014/11/1%33/embracing-https/ "> Embracing HTTPS</ a > . URL: < a href ="http://open.blogs.nytimes.com/2014/11/1%33/embracing-https/ "> http://open.blogs.nytimes.com/2014/11/1%33/embracing-https/</ a >
19171903 < dt id ="biblio-web-https "> < a class ="self-link " href ="#biblio-web-https "> </ a > [WEB-HTTPS]
1918- < dd > Mark Nottingham. < a href ="http://www.w3.org/2001/tag/doc/web-https "> Securing the Web</ a > . TAG Finding. URL: < a href ="http://www.w3.org/2001/tag/doc/web-https "> http://www.w3.org/2001/tag/doc/web-https</ a > </ dl >
1919- < h2 class ="no-num heading settled " id ="issues-index "> < span class ="content "> Issues Index</ span > < a class ="self-link " href ="#issues-index "> </ a > </ h2 >
1920- < div style ="counter-reset:issue ">
1921- < div class ="issue "> In
1922- < a href ="https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0042.html "> a thread on public-webappsec@</ a > ,
1923- Peter Eckersley suggested modifying this to allow whitelisting specific hosts,
1924- rather than upgrading everything: "That way, if you have N third parties
1925- on a site, and (say) two of them provide images only, and don’t support
1926- HTTPS at all, you can use the upgrade mechanism for scripts on the other
1927- N - 2 origins." < a href ="https://github.com/w3c/webappsec/issues/184 "> <https://github.com/w3c/webappsec/issues/184> </ a > < a href ="#issue-c64cf7d1 "> ↵ </ a > </ div >
1928- < div class ="issue "> Monkey patching. :(< a href ="#issue-61dd79e9 "> ↵ </ a > </ div >
1929- < div class ="issue "> The WHATWG HTML spec is significantly clearer here than < a data-link-type ="biblio " href ="#biblio-workers "> [WORKERS]</ a > .
1930- Hope that doesn’t cause problems when transitioning to CR.< a href ="#issue-9721e5e6 "> ↵ </ a > </ div > </ div > </ body >
1904+ < dd > Mark Nottingham. < a href ="http://www.w3.org/2001/tag/doc/web-https "> Securing the Web</ a > . TAG Finding. URL: < a href ="http://www.w3.org/2001/tag/doc/web-https "> http://www.w3.org/2001/tag/doc/web-https</ a > </ dl > </ body >
19311905</ html >
0 commit comments