On Mon, Mar 16, 2015 at 7:26 AM, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
wrote:
> The 200+implicit redirect case is only going to be implemented by sites
> that can't go ahead and do a 302 redirect to https in the first place.
>
Right. That's basically the use case I'm targeting here: servers that
require the upgrade mechanism, because they haven't done the work to
support every browser right away.
> the oubound Prefer: on every http:// (and https://, if we want to signal
> safety for HSTS) has to be done by the client on *every* navigational
> request, even for sites that have already done a full migration.
>
> As a stepping stone, the 200+implicit redirect seems like something most
> parts of the web could get rid of eventually, whereas the Prefer: header
> on all outbound navigations seems like permanent cruft in the stack.
>
I agree with this sentiment.
The spec currently limits the `Prefer` header's impact by limiting it to
insecure transport (with the assumption that we'll eventually all be secure
all the time, and therefore that the header will simply vanish over time).
I'd be perfectly happy to drop it entirely, as proposed in
https://github.com/w3c/webappsec/issues/212. I'm less enthused about
expanding it's scope, as proposed in
https://github.com/w3c/webappsec/pull/209.
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)