W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

UPGRADE: Do we need granular control?

From: Mike West <mkwst@google.com>
Date: Mon, 10 Aug 2015 15:46:09 +0200
Message-ID: <CAKXHy=d=b4pS4+Gwm2j8JgVF+LaTPpXDmL7fxQxfw-5ERbjeog@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, Yan Zhu <yan@eff.org>, Brad Hill <hillbrad@gmail.com>, Alex Russell <slightlyoff@google.com>
I believe https://github.com/w3c/webappsec/issues/184 is the only
outstanding issue on UPGRADE at the moment. The goal there is to split the
behavior into "navigational" and "other", and turn both into source lists.
We'd end up with something like (insert naming bikeshed)
`upgrade-insecure-navigations example.com other-example.com;
upgrade-insecure-resources cdn.example.com othercdn.example.com`, and the
current `upgrade-insecure-requests` would desugar into
`upgrade-insecure-navigations [insert protected resources' host];
upgrade-insecure-resources *`.

Before I dive into adding that to the text, I'd like to determine whether
it's necessary. :)

Right now, we have two more or less compatible implementations of the
current spec (though I think Firefox doesn't yet send the signaling
header). I haven't heard any requests for the functionality from folks
using the header, just from Brad and Yan. Is it something we should add
before moving to CR? It would explain the current functionality with better
primitives, but it's not clear to me whether it's worth the added
complexity.

Brad, Yan, Alex? If any of you (or anyone else, really) feels strongly
about it, that's probably good enough, but if this is just a nice-to-have,
I'd suggest we punt it and just call v1 done.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 10 August 2015 13:46:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC