Re: Upgrade mixed content URLs through HTTP header from Mike West on 2015-02-06 (public-webappsec@w3.org from February 2015)

From: Mike West <mkwst@google.com>
Date: Fri, 6 Feb 2015 06:57:34 +0100
To: Devdatta Akhawe <dev.akhawe@gmail.com>, Alex Russell <slightlyoff@google.com>
Cc: Joel Weinberger <jww@google.com>, Emily Stark <estark@google.com>, Jim Manico <jim.manico@owasp.org>, Ryan Sleevi <sleevi@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>, Adam Langley <agl@google.com>
Message-ID: <CAKXHy=dJuatz1oPOYq+XjNMu3Jb8qundzZLg1JcC4b352cxtxA@mail.gmail.com>

On Fri, Feb 6, 2015 at 6:39 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> 2) how to upgrade it to https (possibly via a directive
>
or via JS). I was focusing on the latter when talking about
> ServiceWorkers. I guess it doesn't help in cases where you don't
> actually support HTTPS in some obscure origin and thus can't upgrade
> automatically.
>

We currently do mixed content (and CSP) checks before sending the request
to the Service Worker. I'm not sure it would be a good idea to restructure
that to wait for the SW to potentially rewrite the request. Also, the
timing seems problematic. You can't register a SW until you're on an HTTPS
page, at which point it't too late to start upgrading its requests.

I think a CSP-based solution has some advantages here, but I guess I
wouldn't be opposed to explaining it in terms of service workers if there's
a good way of doing so. +Alex, who probably has opinions about SW's
applicability.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Friday, 6 February 2015 05:58:23 UTC