Re: Upgrade mixed content URLs through HTTP header from Eduardo' Vela\ on 2015-02-03 (public-webappsec@w3.org from February 2015)

From: Eduardo' Vela\ <evn@google.com>
Date: Tue, 3 Feb 2015 10:25:08 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Wendy Seltzer <wseltzer@w3.org>, Ryan Sleevi <sleevi@google.com>, Mike West <mkwst@google.com>, Adam Langley <agl@google.com>, Peter Eckersley <pde@eff.org>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAFswPa-T=puOrUC3U2cuzYpeXzznxrqWGZT9E+dOFkFEeakZvg@mail.gmail.com>

It would be helpful to upgrade sites even if they aren't HSTS already.
On Feb 3, 2015 10:21 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:

> On Tue, Feb 3, 2015 at 10:18 AM, Eduardo' Vela" <Nava> <evn@google.com>
> wrote:
> > Would this enable the upgrade only? Without the STSing?
> >
> > Strict-Transport-Security: max-age=0; upgradeSubresources
>
> I think Mike was suggesting not to extend HSTS but instead use the
> presence of HSTS as a signal to upgrade all mixed content URLs within
> the document. It's not entirely clear to me if that is compatible with
> what is out there today. And if coupling it with HSTS helps adoption
> or makes it harder.
>
>
> --
> https://annevankesteren.nl/
>

Received on Tuesday, 3 February 2015 09:25:35 UTC