HTTP or HTTPS for vocabulary namespaces from Phil Archer on 2016-04-20 (public-sdw-wg@w3.org from April 2016)

From: Phil Archer <phila@w3.org>
Date: Wed, 20 Apr 2016 16:25:20 +0100
To: SDW WG Public List <public-sdw-wg@w3.org>
Message-ID: <57179F60.4000201@w3.org>

Dear all,

I took an action recently to look into whether we should be using HTTP 
or HTTPS for our vocabulary namespaces. The topic arises because of 
recent changes on w3.org where we have implemented HSTS [1] and UIR [2]. 
Several browsers have also implemented this.

Whilst the details are probably of no more than passing interest to most 
people here, the result is noticeable: visit any http://www.w3.org URL 
and you're likely to be redirected to the https://www.w3.org equivalent.

The key thing is that this is due to interaction between the server and 
your browser. If the browser doesn't understand HSTS and UIR, then the 
http version is what you get:


curl -I http://www.w3.org/ns/ssn/
HTTP/1.1 200 OK
Date: Wed, 20 Apr 2016 12:46:17 GMT
Content-Location: Overview.owl
Vary: negotiate,upgrade-insecure-requests
TCN: choice
Last-Modified: Tue, 15 Mar 2016 06:13:03 GMT
ETag: "ebe9-52e104a3699c0;52e8c65b20237"
Accept-Ranges: bytes
Content-Length: 60393
Cache-Control: max-age=21600
Expires: Wed, 20 Apr 2016 18:46:17 GMT
P3P: policyref="http://www.w3.org/2014/08/p3p.xml"
Access-Control-Allow-Origin: *
Content-Type: application/rdf+xml; qs=0.9

Since vocabulary definitions are as likely to be retrieved with user 
agents that are not browsers and those that are, and therefore the 
advice is that we continue to define vocabularies with good 'ol HTTP 
schemes.

It is bad practice to offer different resources at two URLs that differ 
only in the scheme. Therefore the User Agent may dereference the 
vocabulary namespace using either http or https. Likewise, the end 
server may decide to upgrade the dereferencing request to https.

Please be careful if copying and pasting relevant URLs from your browser.

Meanwhile, document URIs will be cited as being 
https://www.w3.org/TR/{blah} etc.

HTH

Phil


[1] https://tools.ietf.org/html/rfc6797
[2] https://www.w3.org/TR/upgrade-insecure-requests/

For tracker: Action-107

-- 


Phil Archer
W3C Data Activity Lead
http://www.w3.org/2013/data/

http://philarcher.org
+44 (0)7887 767755
@philarcher1

Received on Wednesday, 20 April 2016 15:25:40 UTC