W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Peter Eckersley <pde@eff.org>
Date: Mon, 2 Feb 2015 16:39:46 -0800
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <20150203003946.GA6944@eff.org>
On Mon, Feb 02, 2015 at 01:53:10PM -0500, Daniel Kahn Gillmor wrote:

> 
> I'll ask the obvious question explicitly:
> 
> Why does this need to be a separate header at all?  Why not just assume
> that sites with STS set should opportunistically upgrade http resources
> to https?

Arguably we may want it to be a separate header, or a new HSTS
directive, so that sites don't trigger mixed content breakage in the
already-widely-deployed populations of Chrome and Firefox browsers that
block before upgrading.
 

-- 
Peter Eckersley                            pde@eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993
Received on Tuesday, 3 February 2015 09:31:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC