Re: Upgrade mixed content URLs through HTTP header

On Tue, Feb 3, 2015 at 11:50 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Feb 3, 2015 at 11:16 AM, Mike West <mkwst@google.com> wrote:
> > Let's say we introduce Eduardo's "upgrade-unsafe". What would you expect
> it
> > to do?
> >
> > I'd expect it to blindly rewrite first- and third-party HTTP images (and
> > etc.) to HTTPS before fetching, which would simply fail for images
> > unavailable over HTTPS. It's not clear to me that that's really worse
> than
> > the browser telling the user that the page is insecure, and it seems like
> > different site authors would react differently.
>
> This is what I would expect. And from experience with deploying TLS on
> whatwg.org and html5.org I know that we had made sure that the thirty
> or so domains for in use (for both primary and subresources) supported
> TLS. It was just an enormous hassle to make sure that the content also
> matched that. If we had a header to upgrade the content deployment of
> TLS would have gone a lot smoother.
>

My worry is that we're papering over the problem for newer clients, thereby
removing incentive to fix the problem for existing clients. While I agree
with Peter's earlier assertion that we shouldn't hold up progress, I think
this is a concern we'd need to address in order to ensure that sites and
applications remain as accessible as possible.

Ensuring that CSP-Report-Only works correctly is important, for example.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Tuesday, 3 February 2015 10:54:07 UTC