- From: Peter Eckersley <pde@eff.org>
- Date: Tue, 3 Feb 2015 01:27:21 -0800
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: "Eduardo' Vela <Nava>" <evn@google.com>, Mike West <mkwst@google.com>, Wendy Seltzer <wseltzer@w3.org>, Ryan Sleevi <sleevi@google.com>, Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>
Either approach is potentially workable, but adding a new directive to HSTS would make it more practical for sites to stay on HTTP for the currently deployed clients where HSTS _doesn't_ fix the MCB problem, and only use HTTPS+HSTS with the shiny new clients that know how to do subresource upgrading. On Tue, Feb 03, 2015 at 10:21:50AM +0100, Anne van Kesteren wrote: > On Tue, Feb 3, 2015 at 10:18 AM, Eduardo' Vela" <Nava> <evn@google.com> wrote: > > Would this enable the upgrade only? Without the STSing? > > > > Strict-Transport-Security: max-age=0; upgradeSubresources > > I think Mike was suggesting not to extend HSTS but instead use the > presence of HSTS as a signal to upgrade all mixed content URLs within > the document. It's not entirely clear to me if that is compatible with > what is out there today. And if coupling it with HSTS helps adoption > or makes it harder. > > > -- > https://annevankesteren.nl/ > -- Peter Eckersley pde@eff.org Technology Projects Director Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
Received on Tuesday, 3 February 2015 09:31:38 UTC