Re: Upgrade mixed content URLs through HTTP header from Mike West on 2015-02-02 (public-webappsec@w3.org from February 2015)

From: Mike West <mkwst@google.com>
Date: Mon, 2 Feb 2015 18:13:18 +0100
To: Jim Manico <jim.manico@owasp.org>
Cc: Ryan Sleevi <sleevi@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>, Adam Langley <agl@google.com>
Message-ID: <CAKXHy=dPV-UQ5AeuWz_4zC8MefnVgrkT43XcLb4XhmhdwWqbdg@mail.gmail.com>

On Feb 2, 2015 4:58 PM, "Jim Manico" <jim.manico@owasp.org> wrote:

> > The only way to support clients that don't support the thing we haven't
> implemented yet would be to alter the links at the source.
>
> You can always have JavaScript do this for you... Take Clickjacking
> defense: Just like X-Frame-Options issues with legacy clients, there
> are pure Js framebusting solutions that are rameasonable.
>

If adjusting the source was an option, we wouldn't need this header.

Sites with large amounts of legacy content (W3C, NYT, etc) have a hard time
ensuring that all the pages on their sites are updated with new URLs. I
think that's the problem Anne is aiming at mitigating.

-mike

Received on Monday, 2 February 2015 17:14:08 UTC