W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

CSP: non-TLS scheme restrictions must allow TLS-enabled schemes automatically

From: Brian Smith <bsmith@mozilla.com>
Date: Sun, 26 Jun 2011 14:19:46 -0700 (PDT)
To: public-web-security@w3.org
Message-ID: <816624748.340417.1309123186348.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>
For example, a source of "http://example.com" must implicitly allow "https://example.com," in minimize the problems with migrating from HTTP to HTTPS and to make the interaction with HSTS unproblematic.

In the draft spec, there is the statement "If a scheme is not specified as part of the source expression, a user-agent must use the same scheme as the protected document." I think additionally, there should be a statement that says "A source that has a non-TLS scheme (e.g. 'http' instead of 'https') and that uses the default port for the scheme (e.g. 80 for http) implies an additional source with the TLS variant of the scheme on that scheme's default port (e.g. 'https' on port 443)." Or, something a little more comprehensible than that.

Received on Sunday, 26 June 2011 21:20:14 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC