- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 2 Feb 2015 16:24:41 +0100
- To: WebAppSec WG <public-webappsec@w3.org>
Some members of the W3C staff raised this issue the most clearly, though I also found out myself while rolling out TLS on whatwg.org and various other domains. When you have lots of legacy pages that all have various subresources, upgrading them all to avoid mixed content warnings (or worse, failures) can be a pain. You have enabled TLS for the domains your subresources come from, but you don't have the possibility of upgrading all the links. For that scenario it would be useful if we had a header that was similar to HSTS, but instead applied to the subresources of the current document. HSTS does not help as it a) applies only to a single host and any cached hosts and b) happens after mixed content per recent agreement. So I think if we introduced an HTTP response header (only takes affect if delivered over TLS) like TLS-Only: true we would enable resources such as <!doctype html> <title>Hey!</title> <h1><img src=http://elsewhere.example/test alt=Testing></h1> <script src=http://anywhere.example/run></script> to avoid mixed content warnings without content changes. This seems fairly trivial to introduce and support and would lower the barrier to TLS adoption some more. Especially for web properties with lots of legacy resources. -- https://annevankesteren.nl/
Received on Monday, 2 February 2015 15:25:08 UTC