W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [MIX] Interaction between HSTS and mixed content blocking

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 19 Nov 2014 22:47:44 +0100
Message-ID: <CADnb78h-k38Vh+PHkdYJ+5z9n-DiZc0SLHsZhH36BDQzV3n+7Q@mail.gmail.com>
To: Adam Langley <agl@google.com>
Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 19, 2014 at 10:30 PM, Adam Langley <agl@google.com> wrote:
> Otherwise sites randomly work or not based on whether the profile has
> previously visited (and thus remembered HSTS for) an origin.

If you do a same-origin check as well you would only rewrite rules
that would have to be in the user's HSTS cache (unless HSTS is weirdly

> Also, it leaves mixed-content issues to bite people using browsers
> that don't implement HSTS (and possibly allow dangerous loads).

Not implementing HSTS should be treated as a security bug at this point.

I do think it's worth considering if there's some way we can address
this problem as it makes deployment hard. E.g. have a header along
these lines:

  HTTPS-Domains: w3.org, lists.w3.org

which would rewrite the URLs matching those domains within the
resource to use HTTPS. That way you do not need to rewrite tons of
static resources, but can upgrade the resource's links and
subresources through an HTTP header that can be added via changing
some server configuration.

Received on Wednesday, 19 November 2014 21:48:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:43 UTC