W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Wendy Seltzer <wseltzer@w3.org>
Date: Tue, 03 Feb 2015 05:11:21 -0500
Message-ID: <54D09EC9.2090404@w3.org>
To: Mike West <mkwst@google.com>, Peter Eckersley <pde@eff.org>
CC: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, Ryan Sleevi <sleevi@google.com>, Adam Langley <agl@google.com>
On 02/03/2015 04:00 AM, Mike West wrote:
> That's not what I mean to say. With regard to the W3C, my (apocryphal?*)
> understanding is that the main blocker to deploying HTTPS more widely is
> legacy clients, not legacy content, and that they'd need to alter the
> source in order to get over that hurdle. The legacy concern was specific to
> this example, not a general statement on adding features to the platform.
> 
> *Wendy (hi!) could probably comment here.

My understanding of the problem on W3C's site is a combo of huge amounts
of legacy content and desire to continue making resources available to
legacy clients.

(I think we as a site should upgrade top-level pages to HTTPS, serve the
mixed content and upgrade additional pages and their resources over
time, but I don't set site policy.)

--Wendy

-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
Received on Tuesday, 3 February 2015 10:11:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC