- From: Peter Eckersley <pde@eff.org>
- Date: Fri, 6 Mar 2015 09:49:46 -0800
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Jeff Hodges <Jeff.Hodges@kingsmountain.com>, Tanvi Vyas <tanvi@mozilla.com>, Yves Lafon <ylafon@w3.org>, T Guild <ted@w3.org>, Daniel Appelquist <appelquist@gmail.com>, Alex Russell <slightlyoff@google.com>
Dkg and I happen to be physically colocated and have been looking through the draft. The first significant issue we spotted is that the client will (unfortunately) need to keep signalling whether or not it supports this mechanisms even over HTTPS requests. The reason is that in many cases HSTS needs to be set conditionally on this feature. We've put together a pull request for this change: https://github.com/w3c/webappsec/pull/209 Unfortunately that does mean this mechanism is going to add a lot of bytes on the wire, and we should consider mitigations like shortening the Prefer: header, or only sending the Prefer: header for magic HTTPS URLs like favicon.ico (since it's just going to be there to refresh HSTS once every so often). On Fri, Mar 06, 2015 at 08:51:38AM +0100, Mike West wrote: > I've done some work on the "Upgrade Insecure Requests" spec since the FPWD > was published (and have a 90% functional implementation behind a flag in > Chrome). I'd appreciate it if folks here would take another look at the > document to see if we're converging on something we like: > https://w3c.github.io/webappsec/specs/upgrade/ > > The only issue noted in the document is > https://github.com/w3c/webappsec/issues/184, which suggests changing from a > value-less directive to a whitelist of hosts. I can see how that would be > valuable, but it seems like a complicated thing to add if we don't actually > need it. Do folks here think it is necessary? > > In particular, I'm CCing some W3C folks (Ted and Yves) who participated in > an earlier thread[1] to see if this would help them more quickly migrate to > HTTPS. Hi! Does this help for the W3C's use-case? > > Basically, if what we have is good enough, I want to start shipping it in > Chrome to get developer feedback (and to get sites migrated more quickly). > If it's not good enough, I want to know how to make it better. > > Feedback welcome. :) > > [1]: https://lists.w3.org/Archives/Public/www-tag/2014Nov/0031.html > > -- > Mike West <mkwst@google.com>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, > Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der > Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth > Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) -- Peter Eckersley pde@eff.org Technology Projects Director Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
Received on Friday, 6 March 2015 17:50:22 UTC