You can, but then you've got to write this enormous block comment saying "I realise this looks wrong and broken, but ssl is also broken so don't change this constant", until some junior dev inevitably does anyway.
Having known vulnerabilities baked into a standard with "weird looking" mitigation strategies is really poor choice IMO.
That said, I do see your point. There are also other edgecases, like serving statics on a seperate, uncookied domain that benefit greatly from SPDY in the here and now.
Having known vulnerabilities baked into a standard with "weird looking" mitigation strategies is really poor choice IMO.
That said, I do see your point. There are also other edgecases, like serving statics on a seperate, uncookied domain that benefit greatly from SPDY in the here and now.