W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [MIX] Interaction between HSTS and mixed content blocking

From: Brian Smith <brian@briansmith.org>
Date: Wed, 19 Nov 2014 13:30:23 -0800
Message-ID: <CAFewVt6GnP1OFGfMpUrPAZqrX+suD0GVD_svMqM07OHPGetqhQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 19, 2014 at 1:22 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Wed, Nov 19, 2014 at 10:07 PM, Brian Smith <brian@briansmith.org> wrote:
>> The mixed content document should specify how http:// links for HSTS
>> origins work: does the blocking happen before or after the internal
>> redirect?
>
> Per https://fetch.spec.whatwg.org/ it is after per suggestions from
> HSTS' Jeff.

Sounds good.

> This does not quite align with implementations.

I think you mean "this is the opposite of what implementations do."
Are there two implementations interested in changing this?

> It's also
> a bit unclear whether this is best, since it depends on which HSTS
> domains you visited what the results will be. Perhaps we should make a
> same-origin restriction here.

I'm not sure I understand. The fact that HSTS state accumulates and is
lost over time affects every fetch, not just mixed content fetches.

Cheers,
Brian
Received on Wednesday, 19 November 2014 21:30:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC