- cross-posted to:
- browsers@lemmy.ml
- technews@radiation.party
- cross-posted to:
- browsers@lemmy.ml
- technews@radiation.party
cross-posted from: https://lemmy.world/post/3301227
Chrome will be experimenting with defaulting to https:// if the site supports it, even when an http:// link is used and will warn about downloads from insecure sources for “high-risk files” (example given is an exe). They’re also planning on enabling it by default for Incognito Mode and “sites that Chrome knows you typically access over HTTPS”.
It does specifically say “defaulting to https:// if the site supports it”, so I think specifying http will still work if the site doesn’t actually support https.
Removed by mod
No testing a server side http-to-https upgrade/redirect without reconfiguring your browser. This seems like an unnecessary and bad idea.
This could be easily done better by promoting such server-side configurations as a default.
I mean, why should the browser attempt to correct inappropriately configured servers? Shouldn’t they rather be making PRs to NGINX/Apache/CAs or whatever?
Also: can’t this be exploited to spoof an unavailable HTTPS and coerce an unencrypted connection?