W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: [MIX] 4 possible solutions to the problem of Mixed Content Blocking stalling HTTPS deployment

From: Peter Eckersley <pde@eff.org>
Date: Thu, 5 Feb 2015 17:55:21 -0800
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: public-webappsec@w3.org, technologists@eff.org
Message-ID: <20150206015521.GU501@eff.org>
On Thu, Feb 05, 2015 at 05:54:15PM -0500, Daniel Kahn Gillmor wrote:
> On Mon 2015-02-02 19:21:00 -0500, Peter Eckersley wrote:
> 
> > Assuming that clients are following point 6.1.4 in RFC 6797
> > (https://tools.ietf.org/html/rfc6797#section-6.1) correctly, it should
> > be practical to make this kind of functionality part of HSTS.
> 
> This point in the RFC says:
> 
>    4.  UAs MUST ignore any STS header field containing directives, or
>        other header field value data, that does not conform to the
>        syntax defined in this specification.
> 
> I read that to mean that STS headers which break *syntax* should be
> ignored.  It does not say that any unknown directive should be ignored.
> 
> in fact, the next point explicitly says that unknown directives should
> be ignored:
> 
>    5.  If an STS header field contains directive(s) not recognized by
>        the UA, the UA MUST ignore the unrecognized directives, and if
>        the STS header field otherwise satisfies the above requirements
>        (1 through 4), the UA MUST process the recognized directives.

Thank you for catching my misreading there.  I think that pretty much
guarantees that we shouldn't do this as a new HSTS directive.

Let's keep working on Mike's CSP proposal :)

-- 
Peter Eckersley                            pde@eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993
Received on Friday, 6 February 2015 01:55:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC