I am reading and taking notes on the HTML specifications for 100 days as part of #The100DayProject. Read the initial intent/backstory. I am a Microsoft employee but all opinions, comments, etc on this site are my own. I do not speak on behalf of my employer, and thus no comments should be taken as representative of Microsoft’s official opinion of the spec. Subsections not listed below were read without comment.
Currently reading in 2.6 Fetching Resources.
2.6.3 Encrypted HTTP and related security concerns
UAs should warn users of certificate errors (this section also applies to HTTP-over-TLS, shown as “https://” links); they should also either not download the resources that contain certificate errors, or act as though these resources weren’t encrypted at all. Notably, a page can’t just be whitelisted after a secure visit, the UA has to run this check every time.
This section goes through some examples of the above. One fun application of this part of spec that I’ve run into in real time is styling third-party applications for clients. Often, these applications are served over https, but might not have local storage for fonts, stylesheets, and images. You need to have hosting for these resources that also has a secure certificate; an SSL cert seems to range from a couple bucks to a couple hundred dollars per year.
2.6.4 Determining the type of a resource
There’s a whole other spec for MIME-type sniffing, whee! Essentially, MIME-sniffing is determining what type of file/resource is being requested. User agents have to be careful to follow the spec precisely, because if they return a different MIME type than the server, that could result in security issues.