- From: Neil Matatall <neilm@twitter.com>
- Date: Tue, 5 Feb 2013 11:01:42 -0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I would think of this more as an "hsts"-like feature, but I don't want to confuse that with the HSTS header itself! "no-mixed-content": on; works for me Background: When I supply hosts without schemes in a directive And I supply the "no-mixed-content" flag in the CSP directive Scenario: SSL Requests Given the request is over SSL Then all host values should be prepended with https Scenario: Plaintext Requests Given the request is not over SSL Then all host values should be prepended with http in addition to https This still allows you to hard code https for hosts (i.e. never over plain ever), but grants flexibility such that you can apply a very restrictive and concise header with flexibility that doesn't require scheme-specific headers. Supply this with preloaded HSTS and cert pinning, your surface for potentially exposing resources over plaintext is drastically reduced.
Received on Tuesday, 5 February 2013 19:02:09 UTC