Support for PMI's with schemes other than https? #17
Comments
|
+1 to rephrase "must start with https://" to say "must be hosted in a secure fashion." This opens the door to the future secure protocols. |
|
I would get input from the WebSecWG before we change text here. In general, I agree with the intent - but if some weird "secure"(tm) protocol gets used by one UA, it risks screwing over all other UAs and remaining spec-conforming. |
|
(fixed above) |
|
Closed with adoption of PR 21 at 23 Feb Meeting |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From: #16 (comment)
There is a concern that having browsers all over the world fetching a manifest all the time will put significant strain on the hosts of the manifest.
There are protocols that are better at serving static content than HTTP such as IPFS. While they're not supported in most browsers yet, they may be soon.
So, should we be limiting the PMI URLs to
httpsas the scheme or rather wording this as something that requires fetching the manifest through a SecureContext or similar?The text was updated successfully, but these errors were encountered: