W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Mike West <mkwst@google.com>
Date: Wed, 4 Feb 2015 09:13:08 +0100
Message-ID: <CAKXHy=f+R3iuPU4S2kdaxZnZq4huEUMAFCfgDGk6UX5AiEKvVQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Tom Ritter <tom@ritter.vg>, Ryan Sleevi <sleevi@google.com>, "Eduardo' Vela" <evn@google.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>, Peter Eckersley <pde@eff.org>
On Wed, Feb 4, 2015 at 9:07 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Feb 4, 2015 at 5:46 AM, Daniel Kahn Gillmor
> <dkg@fifthhorseman.net> wrote:
> > However, I see no reason that we should avoid coupling opportunistic
> > upgrade for blocked mixed content for sites already using STS.  Is there
> > a coupling objection to this use case that i'm missing?
> Simplicity. Let HSTS not have unanticipated side effects. Note also
> that what is blockable mixed content is not a constant.

*shrug* This seems totally reasonable to me as something to experiment
with. As Daniel notes, these pages are broken currently. If we try to fix
them optimistically, and accidentally break them in a different way than
they're already broken, we haven't lost much.

The argument from side-effects is much more powerful with regard to the
stuff we're not blocking yet. There I'm willing to believe that
optimistically upgrading without opt-in from the author could do more harm
than good.


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 4 February 2015 08:13:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC