- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Mon, 15 Dec 2014 09:54:58 -0800
- To: Igor Bukanov <igor@mir2.org>, Michal Zalewski <lcamtuf@google.com>
- CC: Peter Bowen <pzbowen@gmail.com>, Chris Palmer <palmer@google.com>, Eduardo Robles Elvira <edulix@agoravoting.com>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>
On 12/15/14 2:03 AM, Igor Bukanov wrote: > Chris' original proposal is a stick. I want to give a site operator also > a carrot. That can be an option to activate encryption that is not > visible to the user and *receive* from the browser all reports about > violations of secure origin policy. This way the operator will know that > they can activate HTTPS without worsening user experience and have > information that helps to fix the content. Serve the HTML page over http: but load all sub-resources over https: as expected after the transition. Add the following header: Content-Security-Policy-Report-Only: default-src https:; report-uri <me> (add "script-src https: 'unsafe-inline' 'unsafe-eval';" if necessary) This doesn't give you the benefit of encrypting your main HTML content during the transition as you requested, but it is something that can be done today. When the reports come back clean enough you can switch the page content to https too. -Dan Veditz
Received on Monday, 15 December 2014 17:55:26 UTC