W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 3 Feb 2015 10:21:50 +0100
Message-ID: <CADnb78jaPo0Lt_W-+Zb1_rSiyEjK7o-SgPrdJT1VDiA40c79ng@mail.gmail.com>
To: "Eduardo' Vela <Nava>" <evn@google.com>
Cc: Mike West <mkwst@google.com>, Wendy Seltzer <wseltzer@w3.org>, Ryan Sleevi <sleevi@google.com>, Adam Langley <agl@google.com>, Peter Eckersley <pde@eff.org>, WebAppSec WG <public-webappsec@w3.org>
On Tue, Feb 3, 2015 at 10:18 AM, Eduardo' Vela" <Nava> <evn@google.com> wrote:
> Would this enable the upgrade only? Without the STSing?
> Strict-Transport-Security: max-age=0; upgradeSubresources

I think Mike was suggesting not to extend HSTS but instead use the
presence of HSTS as a signal to upgrade all mixed content URLs within
the document. It's not entirely clear to me if that is compatible with
what is out there today. And if coupling it with HSTS helps adoption
or makes it harder.

Received on Tuesday, 3 February 2015 09:22:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC