- From: yan <yan@mit.edu>
- Date: Mon, 05 Jan 2015 09:33:16 -0800
- To: Tim Berners-Lee <timbl@w3.org>, Brad Hill <hillbrad@gmail.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Brad Hill wrote: > The edge cases introduced by this kind of optimistic upgrade may very > well be fewer and less harmful than those introduced by allowing > insecure content into secure contexts. In fact, the EFF probably > already has a good amount of data on exactly this from the HTTPS > Everywhere extension. > Chiming in as I magically do whenever HTTPS Everywhere appears in discussion, I am dubious that this would be a good idea. A significant percentage of rules are *not* from an HTTP origin to the same origin with HTTPS. However, in most cases this is just because the same-origin-but-with-HTTPS doesn't support SSL (sites will often have a cert for www* but not the bare domain), so it wouldn't cause any harm. A dramatic example of where the HTTP and HTTPS sites are completely semantically different: http://forbes.com vs https://forbes.com/. I can ask EFF to produce this data more rigorously, but for now you can get a rough estimate by randomly picking a page from https://www.eff.org/https-everywhere/atlas/. Ex: https://www.eff.org/https-everywhere/atlas/domains/rac.co.uk.html. -Yan ex-maintainer of https everywhere
Received on Monday, 5 January 2015 17:34:13 UTC