W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Upgrade mixed content URLs through HTTP header

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 2 Feb 2015 16:24:41 +0100
Message-ID: <CADnb78gXQgp=U23URyHO=qqCFMvBSXosU2qAYWDOEzA0-TPCTA@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Some members of the W3C staff raised this issue the most clearly,
though I also found out myself while rolling out TLS on whatwg.org and
various other domains.

When you have lots of legacy pages that all have various subresources,
upgrading them all to avoid mixed content warnings (or worse,
failures) can be a pain. You have enabled TLS for the domains your
subresources come from, but you don't have the possibility of
upgrading all the links.

For that scenario it would be useful if we had a header that was
similar to HSTS, but instead applied to the subresources of the
current document. HSTS does not help as it a) applies only to a single
host and any cached hosts and b) happens after mixed content per
recent agreement.

So I think if we introduced an HTTP response header (only takes affect
if delivered over TLS) like

  TLS-Only: true

we would enable resources such as

  <!doctype html>
  <h1><img src=http://elsewhere.example/test alt=Testing></h1>
  <script src=http://anywhere.example/run></script>

to avoid mixed content warnings without content changes.

This seems fairly trivial to introduce and support and would lower the
barrier to TLS adoption some more. Especially for web properties with
lots of legacy resources.

Received on Monday, 2 February 2015 15:25:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC