W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Mike West <mkwst@google.com>
Date: Mon, 2 Feb 2015 18:13:18 +0100
Message-ID: <CAKXHy=dPV-UQ5AeuWz_4zC8MefnVgrkT43XcLb4XhmhdwWqbdg@mail.gmail.com>
To: Jim Manico <jim.manico@owasp.org>
Cc: Ryan Sleevi <sleevi@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>, Adam Langley <agl@google.com>
On Feb 2, 2015 4:58 PM, "Jim Manico" <jim.manico@owasp.org> wrote:

> > The only way to support clients that don't support the thing we haven't
> implemented yet would be to alter the links at the source.
> You can always have JavaScript do this for you... Take Clickjacking
> defense: Just like X-Frame-Options issues with legacy clients, there
> are pure Js framebusting solutions that are rameasonable.

If adjusting the source was an option, we wouldn't need this header.

Sites with large amounts of legacy content (W3C, NYT, etc) have a hard time
ensuring that all the pages on their sites are updated with new URLs. I
think that's the problem Anne is aiming at mitigating.

Received on Monday, 2 February 2015 17:14:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC