W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Mike West <mkwst@google.com>
Date: Tue, 3 Feb 2015 11:16:49 +0100
Message-ID: <CAKXHy=cywU9dDeVn50BGKX9X-oUNqUq0uW9AfhFFiLGrbeTjwg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Ryan Sleevi <sleevi@google.com>, "Eduardo' Vela" <evn@google.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>, Peter Eckersley <pde@eff.org>
On Tue, Feb 3, 2015 at 10:56 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> Therefore a new CSP directive (assuming that does not opt you into
other CSP features) or standalone header to upgrade URLs that would
> otherwise be considered mixed content seems more effective.

Let's say we introduce Eduardo's "upgrade-unsafe". What would you expect it
to do?

I'd expect it to blindly rewrite first- and third-party HTTP images (and
etc.) to HTTPS before fetching, which would simply fail for images
unavailable over HTTPS. It's not clear to me that that's really worse than
the browser telling the user that the page is insecure, and it seems like
different site authors would react differently.

An alternative would be to rewrite first-party requests only. Would that
address enough of the problem to be worth offering?


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 3 February 2015 10:17:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC