W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 2 Feb 2015 16:39:15 +0100
Message-ID: <CADnb78iYq1hRiCgi_q0EFbf_xC3zXFM9p9X3NCeQRv5AgdFhCg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Mon, Feb 2, 2015 at 4:35 PM, Mike West <mkwst@google.com> wrote:
> Would the effect of the header be equivalent to running `s/http:/https:/g`
> on the HTML? That is, at parse time, we would transparently replace
> `http://example.com/test.png` twith`https://example.com/test.png`?

Equivalent, but not identical. My proposal would be to upgrade in
Fetch similar to HSTS so that any scripts are not affected by URLs

> Or would this be similar to strict mixed content checking mode, blocking the
> requests without degrading the UI?

It would not be similar as we would attempt to fetch these resources
over TLS. Having said that, I don't understand why strict mixed
content would result in UI degradation. If we don't actually do
something that causes harm to the user (such as fetching mixed content
images), we shouldn't alert them about it.

Received on Monday, 2 February 2015 15:39:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC