On Tue, Feb 3, 2015 at 10:21 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Tue, Feb 3, 2015 at 10:18 AM, Eduardo' Vela" <Nava> <evn@google.com> > wrote: > > Would this enable the upgrade only? Without the STSing? > > > > Strict-Transport-Security: max-age=0; upgradeSubresources > > I think Mike was suggesting not to extend HSTS but instead use the > presence of HSTS as a signal to upgrade all mixed content URLs within > the document. It's not entirely clear to me if that is compatible with > what is out there today. And if coupling it with HSTS helps adoption > or makes it harder. > Right. All good questions. My intuition is that if a site is already setting HSTS, and includes insecure resources, then they're already living with brokenness. Breaking them in a different way (by failing to load HTTPS resources) doesn't seem substantially worse (though might have negative performance impacts, assuming a failed connection takes some amount of time to timeout). Using HSTS as a signal almost certainly doesn't solve the adoption problem; no one is sending the HSTS header unless they've already done substantial work to get ready. This would simply be a mechanism of ensuring that the effort was well-spent, and had the desired effect. -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 3 February 2015 09:41:56 UTC