Re: UPGRADE: 'HTTPS' header causing compatibility issues. from Mike West on 2015-07-07 (public-webappsec@w3.org from July 2015)

From: Mike West <mkwst@google.com>
Date: Tue, 7 Jul 2015 14:10:11 +0200
To: Yoav Weiss <yoav@yoav.ws>
Cc: Richard Barnes <rbarnes@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, Adrian Hope-Bailie <adrian@hopebailie.com>, "Nottingham, Mark" <mnotting@akamai.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=cA75nXMraEn8mJ-5H5Y_3MBxQ+upauRnnzYw4C9oX1cQ@mail.gmail.com>

On Wed, Jul 1, 2015 at 11:03 PM, Yoav Weiss <yoav@yoav.ws> wrote:

> A static set of "Prefer" headers would mean that (very much like "Accept")
> in case that content varies on `Prefer`, intermediate caches would have to
> maintain ~ a copy per UA. The damage can be minimized if UAs coordinate to
> make sure that similar `Prefer` values are *identical* between the
> different UAs.
>
> That's not *awful*, but in terms of caching, a separate header name is
> better, at least until `key
> <https://tools.ietf.org/html/draft-fielding-http-key-02>` becomes a thing.
>
> Is "Upgrade-Insecure-Requests: yes pleasssssse" much worse than "Prefer:
> upgrade-insecure-requests"?
>

It sounds like there's general agreement that `Prefer` is the right
semantic to use here, but there's concern (and disagreement) about whether
or not the caching impact a) exists, b) overrides the semantic value.

If there's a clear solution for the caching problem (`key`), and we're just
waiting for it to be deployed, then I'd prefer `Prefer`. :)

Is that a crazy stance? Are there sincere impacts to the Internets that I'm
missing? If not, I'll update the spec to `Prefer: secure-transport`.

-mike

Received on Tuesday, 7 July 2015 12:10:58 UTC