Httpsupgrades November 2024 updates - added non-normative examples and changed Https upgrade step

[meacer]

Chris, could you PTAL before I pull these into the actual PR?

I had to move the upgrade step (section 4.1.5 before, 4.1.11 now) right after the HSTS step to fix the issue at whatwg#1655 (comment)

However, the HTTPS upgrade now happens after the mixed content upgrade step (4.1.5 in the unmodified spec). So perhaps mixed content upgrade should happen after the HSTS upgrade (4.1.10 in the unmodified spec) in the first place? Do you think this is a bug in the unmodified spec or am I missing something?

[christhompson]

In Chrome at least, the order of precedence is:

• Mixed content upgrade/block
• HSTS upgrade (we check if HSTS is enforced and if so defer upgrades to HSTS)
• HTTPS-Upgrades and fallback

HTTPS-RR happen after all of this as it requires actually going out on the network for the DNS lookup (conceptually, we can think of it as a sort of anti-downgrade protection given all the other upgrade sources). Technically HSTS happens after HTTPS-Upgrades as well and we just skip Upgrades if we know HSTS will be enforced (so that we can do the right warning precedence if HTTPS-First Mode is enabled).

[christhompson]

The update LGTM. I think the new ordering makes sense, and the HTTPS RR subtlety is already called out in the note above (that is, HTTPS RR can only happen after we already make a connection, so it is kind of in the wrong place or shouldn't even be in the Fetch spec and just be part of HTTP).

[meacer]

Thanks! Will merge into the main PR with the notes we discussed.