- From: Mike West <mkwst@google.com>
- Date: Mon, 21 Sep 2015 12:59:46 +0200
- To: Jose Kahan <jose.kahan@w3.org>
- Cc: Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Monday, 21 September 2015 11:00:34 UTC
On Mon, Sep 21, 2015 at 12:28 PM, Jose Kahan <jose.kahan@w3.org> wrote: > We are in the process in deploying the hsts/https config from www-test > to our production servers. However, we got a snatch that wasn't > detected during our tests: the latest released firefox (40.0.3) doesn't > seem to apply the hsts rule before checking for mixed-content warning. > I don't think that any browser applies HSTS before mixed content (see steps 4 and 6 of https://fetch.spec.whatwg.org/#main-fetch). > Today we had a news item with an absolute HTTP link to an image and this > revelead it. Firefox will also complain if there are absolute http > links to CSS files. > Is it possible that you're relying on `Upgrade-Insecure-Requests`, and that you're using a version of Firefox which doesn't yet support it? I think they're shipping in 42. > In view of this, if there is no immediate solution we could apply, we're > going to have to roll-back the deployment and wait until it is fixed. > Wouldn't it be better to fix the absolute HTTP links? That would solve the problem for Firefox, and browsers like Safari that don't support the upgrade feature at all. -mike
Received on Monday, 21 September 2015 11:00:34 UTC