W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Mike West <mkwst@google.com>
Date: Tue, 3 Feb 2015 11:53:16 +0100
Message-ID: <CAKXHy=dPZXzTfAd1hX_2MJ+-5Hie2nvaNw4enuNcQNpv+JhatA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Ryan Sleevi <sleevi@google.com>, "Eduardo' Vela" <evn@google.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>, Peter Eckersley <pde@eff.org>
On Tue, Feb 3, 2015 at 11:50 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Feb 3, 2015 at 11:16 AM, Mike West <mkwst@google.com> wrote:
> > Let's say we introduce Eduardo's "upgrade-unsafe". What would you expect
> it
> > to do?
> >
> > I'd expect it to blindly rewrite first- and third-party HTTP images (and
> > etc.) to HTTPS before fetching, which would simply fail for images
> > unavailable over HTTPS. It's not clear to me that that's really worse
> than
> > the browser telling the user that the page is insecure, and it seems like
> > different site authors would react differently.
>
> This is what I would expect. And from experience with deploying TLS on
> whatwg.org and html5.org I know that we had made sure that the thirty
> or so domains for in use (for both primary and subresources) supported
> TLS. It was just an enormous hassle to make sure that the content also
> matched that. If we had a header to upgrade the content deployment of
> TLS would have gone a lot smoother.
>

My worry is that we're papering over the problem for newer clients, thereby
removing incentive to fix the problem for existing clients. While I agree
with Peter's earlier assertion that we shouldn't hold up progress, I think
this is a concern we'd need to address in order to ensure that sites and
applications remain as accessible as possible.

Ensuring that CSP-Report-Only works correctly is important, for example.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 3 February 2015 10:54:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC