W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 3 Feb 2015 10:56:06 +0100
Message-ID: <CADnb78i2Kj=ZP+cdQ5B_cPhA3MS89nNkz8qPErnCqPF_qzLK_Q@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
Cc: Mike West <mkwst@google.com>, "Eduardo' Vela" <evn@google.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>, Peter Eckersley <pde@eff.org>
On Tue, Feb 3, 2015 at 10:47 AM, Ryan Sleevi <sleevi@google.com> wrote:
> I'm not sure I follow this, so apologies for not fully keeping up with the
> shifting thread. When extended to third-party resources, if I embed an HTTP
> image from a third-party origin on a site with HSTS, it will load but
> degrade UI. If I auto-upgrade that other origin to HTTPS, it will fail to
> load - that does seem considerably worse, doesn't it?

Agreed.

I think we have learned over time that coupling is bad and makes
adoption harder. Which I think means that we should offer a way to do
this without also opting into other features.

Therefore a new CSP directive (assuming that does not opt you into
other CSP features) or standalone header to upgrade URLs that would
otherwise be considered mixed content seems more effective.


-- 
https://annevankesteren.nl/
Received on Tuesday, 3 February 2015 09:56:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC