W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Emily Stark <estark@google.com>
Date: Tue, 3 Feb 2015 08:20:04 -0800
Message-ID: <CAPP_2Sa6wa6c0N0C9MGLnqVAsifu1=qoQkS5sAcTj2QJv5KXOw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Jim Manico <jim.manico@owasp.org>, Ryan Sleevi <sleevi@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>, Adam Langley <agl@google.com>
On Mon, Feb 2, 2015 at 9:13 AM, Mike West <mkwst@google.com> wrote:

> On Feb 2, 2015 4:58 PM, "Jim Manico" <jim.manico@owasp.org> wrote:
>
>> > The only way to support clients that don't support the thing we haven't
>> implemented yet would be to alter the links at the source.
>>
>> You can always have JavaScript do this for you... Take Clickjacking
>> defense: Just like X-Frame-Options issues with legacy clients, there
>> are pure Js framebusting solutions that are rameasonable.
>>
>
> If adjusting the source was an option, we wouldn't need this header.
>
> Sites with large amounts of legacy content (W3C, NYT, etc) have a hard
> time ensuring that all the pages on their sites are updated with new URLs.
> I think that's the problem Anne is aiming at mitigating.
>
>
Hi Mike! Sorry to jump in in the middle here, but this argument isn't clear
to me. For the sake of my understanding, can you tell me if the following
is an accurate summary of why it should be a header rather than some
Javascript code?

1. It would be difficult to write Javascript that actually does this
rewriting correctly and reliably. For example, it's not clear to me that a
Javascript library would be able to rewrite URLs of images that are
inserted directly into the DOM dynamically.

2. Even if such a magical Javascript library existed, it would be difficult
to deploy on huge sites with thousands of pages: the goal is to avoid
having to make any changes to the source of such sites. [I'm skeptical of
this point -- I see that actually transforming tons of URLs on all the
thousands of pages could be cumbersome, but adding a Javascript snippet to
the head of every page would probably just be a matter of modifying a small
number of templates, right?]

3. Even if 1 and 2 were easy and possible, the goal is to load resources
over HTTPS *without* actually rewriting URLs, because a script on the page
might assume that a URL is http:// and would break if the URL was actually
rewritten to https://. [I'm either skeptical of or ignorant on this point
-- anyone have examples of why such breakage would come up in real life?]

The major advantage that I see of rewriting in Javascript is flexibility:
for example, nytimes.com could rewrite all images on nytimes-owned domains
to https://, while only reporting for images on other domains. On the other
hand, having the header doesn't stop nytimes from implementing this policy;
it could do whatever rewriting it wants in JS, and use the header just to
report insecure requests.

Emily
Received on Wednesday, 4 February 2015 08:17:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC