Re: UPGRADE: 'HTTPS' header causing compatibility issues. from Richard Barnes on 2015-07-08 (public-webappsec@w3.org from July 2015)

From: Richard Barnes <rbarnes@mozilla.com>
Date: Wed, 8 Jul 2015 10:53:38 -0700
To: Brian Smith <brian@briansmith.org>
Cc: Martin Thomson <martin.thomson@gmail.com>, Mike West <mkwst@google.com>, Adrian Hope-Bailie <adrian@hopebailie.com>, Ilya Grigorik <igrigorik@google.com>, Anne van Kesteren <annevk@annevk.nl>, "Nottingham, Mark" <mnotting@akamai.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOAcki9J1mFjwV3xp4myBSaE-UWX8FeABTZ8x1yNnvxJX-7Srg@mail.gmail.com>

On Wed, Jul 8, 2015 at 10:48 AM, Brian Smith <brian@briansmith.org> wrote:

> On Wed, Jul 8, 2015 at 1:08 PM, Richard Barnes <rbarnes@mozilla.com>
> wrote:
>
>> On Wed, Jul 8, 2015 at 9:29 AM, Martin Thomson <martin.thomson@gmail.com>
>> wrote:
>>
>>> On 8 July 2015 at 07:53, Mike West <mkwst@google.com> wrote:
>>> > `upgrade-insecure-requests: 1`, going once, going twice...
>>>
>>>
>>> OK, I'll bite.  -requests seems unnecessarily verbose.  I mean, yes,
>>> we do want to be precise and clear, but `upgrade-insecure` seems
>>> enough; though only if you also change the CSP directive name I
>>> suppose.
>>>
>>
>> Please, let's just have the header name match the directive name.
>>
>
> I agree it is better to have it match the directive name. However, I also
> think it would be fine to rename the CSP directive to "upgrade-insecure" or
> (better) "upgrade-non-secure".
>
> Consider the case of ws:// to wss:// upgrade. No "requests" are involved.
> Also, for HTTP -> HTTPS, the mechanism also indirectly upgrades the
> responses. So "-requests" seems not so good irrespective of the HTTP header
> field naming issue.
>

WFM


>
> Cheers,
> Brian
>

Received on Wednesday, 8 July 2015 17:54:09 UTC