W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: An HTTP->HTTPS upgrading strawman. (was Re: Upgrade mixed content URLs through HTTP header)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 4 Feb 2015 09:13:52 +0100
Message-ID: <CADnb78jxRnH=VEm1SV7BHvNeEcJ3d_B9jQDZt7FyKspDHU+iVg@mail.gmail.com>
To: Crispin Cowan <crispin@microsoft.com>
Cc: Mike West <mkwst@google.com>, Peter Eckersley <pde@eff.org>, Ryan Sleevi <sleevi@google.com>, "Eduardo' Vela" <evn@google.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Tue, Feb 3, 2015 at 11:58 PM, Crispin Cowan <crispin@microsoft.com> wrote:
> It seems to me that there are 2 big scenarios that server admins are likely
> to want:
> ·         Strict: e.g. I’m a bank, I don’t ever want cleartext anything
> floating around, so every byte should be HSTS.
> ·         Opportunistic: I’m a mashup, so I want to make a best effort by
> having all the bytes from my site be encrypted, but don’t know or control
> what protocols are going on with sites that are mashed into mine.

I think there are three:

1. As is. Mixed Content is not touched.

2. Upgrade. Mixed Content URLs will be altered to use HTTP over TLS.

3. Block. All Mixed Content results in a network error.

We recently added 3. We already have 1 (just do nothing). This adds 2.
We might want to make the syntax a bit more related, but I'll leave
that up to Mike.

(Non-form top-level navigation needs to be excluded as Mixed Content
does not touch that. Links would break.)

Received on Wednesday, 4 February 2015 08:14:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC