W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Mike West <mkwst@google.com>
Date: Mon, 2 Feb 2015 18:13:18 +0100
Message-ID: <CAKXHy=dPV-UQ5AeuWz_4zC8MefnVgrkT43XcLb4XhmhdwWqbdg@mail.gmail.com>
To: Jim Manico <jim.manico@owasp.org>
Cc: Ryan Sleevi <sleevi@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>, Adam Langley <agl@google.com>
On Feb 2, 2015 4:58 PM, "Jim Manico" <jim.manico@owasp.org> wrote:

> > The only way to support clients that don't support the thing we haven't
> implemented yet would be to alter the links at the source.
>
> You can always have JavaScript do this for you... Take Clickjacking
> defense: Just like X-Frame-Options issues with legacy clients, there
> are pure Js framebusting solutions that are rameasonable.
>

If adjusting the source was an option, we wouldn't need this header.

Sites with large amounts of legacy content (W3C, NYT, etc) have a hard time
ensuring that all the pages on their sites are updated with new URLs. I
think that's the problem Anne is aiming at mitigating.

-mike
Received on Monday, 2 February 2015 17:14:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC