W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Mike West <mkwst@google.com>
Date: Tue, 3 Feb 2015 10:41:08 +0100
Message-ID: <CAKXHy=eVBS+-yBgfyNLj5U70ijx_Ae6_qSHpcCHkDVs=xUehGA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "Eduardo' Vela <Nava>" <evn@google.com>, Wendy Seltzer <wseltzer@w3.org>, Ryan Sleevi <sleevi@google.com>, Adam Langley <agl@google.com>, Peter Eckersley <pde@eff.org>, WebAppSec WG <public-webappsec@w3.org>
On Tue, Feb 3, 2015 at 10:21 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Feb 3, 2015 at 10:18 AM, Eduardo' Vela" <Nava> <evn@google.com>
> wrote:
> > Would this enable the upgrade only? Without the STSing?
> >
> > Strict-Transport-Security: max-age=0; upgradeSubresources
>
> I think Mike was suggesting not to extend HSTS but instead use the
> presence of HSTS as a signal to upgrade all mixed content URLs within
> the document. It's not entirely clear to me if that is compatible with
> what is out there today. And if coupling it with HSTS helps adoption
> or makes it harder.
>

Right. All good questions.

My intuition is that if a site is already setting HSTS, and includes
insecure resources, then they're already living with brokenness. Breaking
them in a different way (by failing to load HTTPS resources) doesn't seem
substantially worse (though might have negative performance impacts,
assuming a failed connection takes some amount of time to timeout).

Using HSTS as a signal almost certainly doesn't solve the adoption problem;
no one is sending the HSTS header unless they've already done substantial
work to get ready. This would simply be a mechanism of ensuring that the
effort was well-spent, and had the desired effect.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 3 February 2015 09:41:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC