Re: UPGRADE: Do we need granular control? from Mike West on 2015-08-11 (public-webappsec@w3.org from August 2015)

From: Mike West <mkwst@google.com>
Date: Tue, 11 Aug 2015 05:29:42 +0200
To: yan <yan@eff.org>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Alex Russell <slightlyoff@google.com>, Peter Eckersley <pde@eff.org>, Dan Veditz <dveditz@mozilla.com>, Tanvi Vyas <tanvi@mozilla.com>
Message-ID: <CAKXHy=dhLSTHjHiBg_SQsceJ2omaNC=23DVhU2opt_PU-5SYsQ@mail.gmail.com>

On Tue, Aug 11, 2015 at 12:14 AM, yan <yan@eff.org> wrote:

> + pde
>
> On 8/10/15 1:59 PM, Brad Hill wrote:
>
>> I think that we could call it done and think about adding just
>> 'upgrade-insecure-navigations' to a Level 2.  I think it is beneficial
>> to have that scope expansion available as extra behavior, but I don't
>> see any good use cases to formally "decompose"
>> upgrade-insecure-resources out of the existing behavior. (where it could
>> only be used to weaken mixed content fetching, which we don't want to do
>> and won't necessarily ever produce good results)
>>
>
> Firefox/Chrome doesn't block passive mixed content. Tor Browser doesn't
> even block active mixed content by default.

Really? That seems like a bad default choice.

> In both cases, sites can use the header with a source set to upgrade as
> many resources as possible. I think it's good to encourage this best-effort
> behavior.
>

I guess I'm simply wondering whether anyone will use the granularity. My
suspicion is that developers who have a deep enough understanding of the
hosts to which they can securely connect is capable of simply coding their
sites such that they connect to those hosts over HTTPS. But it might be the
case that making the ramp more gradual could be useful even for those types
of sites.

Dan, Tanvi, is this something you folks would implement in Firefox?

-mike

Received on Tuesday, 11 August 2015 03:30:30 UTC