W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 3 Feb 2015 10:56:06 +0100
Message-ID: <CADnb78i2Kj=ZP+cdQ5B_cPhA3MS89nNkz8qPErnCqPF_qzLK_Q@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
Cc: Mike West <mkwst@google.com>, "Eduardo' Vela" <evn@google.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>, Peter Eckersley <pde@eff.org>
On Tue, Feb 3, 2015 at 10:47 AM, Ryan Sleevi <sleevi@google.com> wrote:
> I'm not sure I follow this, so apologies for not fully keeping up with the
> shifting thread. When extended to third-party resources, if I embed an HTTP
> image from a third-party origin on a site with HSTS, it will load but
> degrade UI. If I auto-upgrade that other origin to HTTPS, it will fail to
> load - that does seem considerably worse, doesn't it?


I think we have learned over time that coupling is bad and makes
adoption harder. Which I think means that we should offer a way to do
this without also opting into other features.

Therefore a new CSP directive (assuming that does not opt you into
other CSP features) or standalone header to upgrade URLs that would
otherwise be considered mixed content seems more effective.

Received on Tuesday, 3 February 2015 09:56:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC