W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 2 Feb 2015 16:54:05 +0100
Message-ID: <CADnb78hezRr-mwHTWZ3wDJZoi=2bNNj0OoGSFB+Oz1P_1vskXA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>, Ryan Sleevi <sleevi@google.com>, Adam Langley <agl@google.com>
On Mon, Feb 2, 2015 at 4:47 PM, Mike West <mkwst@google.com> wrote:
> On Mon, Feb 2, 2015 at 4:39 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> Equivalent, but not identical. My proposal would be to upgrade in
>> Fetch similar to HSTS so that any scripts are not affected by URLs
>> changing.
> Hrm. So the result would be the same as a redirect? The document would have
> an insecure URL, but we'd end up making a secure request?

Somewhat and yes. (Redirect seems like the wrong analogy since there's
no insecurity involved.)

> That said, I'm not sure it actually solves W3C's concern, as it would leave
> legacy clients out in the cold. The only way to support clients that don't
> support the thing we haven't implemented yet would be to alter the links at
> the source. I totally understand that that's difficult, but it seems
> essential.

Yeah, this would only work if all browsers upgrade (or enough for
sites to start using it). So it would help with the long tail of
non-TLS properties, not those at the forefront.

Received on Monday, 2 February 2015 15:54:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC