W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Jacob Hoffman-Andrews <jsha@eff.org>
Date: Tue, 03 Feb 2015 18:20:32 -0800
Message-ID: <54D181F0.3020307@eff.org>
To: Tom Ritter <tom@ritter.vg>, Anne van Kesteren <annevk@annevk.nl>
CC: Mike West <mkwst@google.com>, Ryan Sleevi <sleevi@google.com>, Eduardo' Vela <evn@google.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>, Peter Eckersley <pde@eff.org>
> And it's why people pay tens or hundreds of thousands of dollars to
> CDNs to support clients who don't send SNI? Clearly not. =)  I think
> maintaining compatibility with existing clients is very important for
> businesses, and a feature that breaks the experience for some
> percentage of them is a feature they won't use.

A business whose HTTPS implementation is partial-- that is, their site works only if the 'upgrade-unsafe' directive is present-- can use UA detection to redirect only those clients known to support 'upgrade-unsafe' to their HTTPS site. Older clients can remain on the HTTP site until the business either rewrites all links internally or decides to deprecate support for those clients.
Received on Wednesday, 4 February 2015 02:21:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC