W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Mike West <mkwst@google.com>
Date: Fri, 6 Feb 2015 05:49:22 +0100
Message-ID: <CAKXHy=dHNw1DL9tdLGWhYGMOoX2akC6nLNBLN8b8+xrWhT=gzA@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>, Joel Weinberger <jww@google.com>
Cc: Emily Stark <estark@google.com>, Jim Manico <jim.manico@owasp.org>, Ryan Sleevi <sleevi@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>, Adam Langley <agl@google.com>
On Fri, Feb 6, 2015 at 5:34 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> I just want to note that I don't believe CSP reporting in its current
> state is a viable alternative for gathering the requisite telemetry.
> On deploying CSP, the vast majority of reports you see are extension
> noise and it takes a lot of work to really be able to clean up the
> noise and figure out whats broken. All the engineers who have deployed
> CSP have shared similar stories of the crazy amounts of noise. I have
> serious doubts this is practical for helping with HTTPS deployment.
>

Reports are indeed noisy, but I don't think it's the case that it's
impossible to extract value out of them. Jacob noted in
https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0080.html
that Twitter used them successfully to track mixed content.

In any event, Chrome has gotten at least marginally less noisy at this over
the last few months, due to Joel's effort. If you file more bugs, I'm sure
he'll be happy to fix them. :P


> Have we considered Service Worker for this? It seems easy to use
> Service Workers to log HTTP requests or try upgrading to HTTPS. This
> allows the origin to remain in control too.
>

I believe that ServiceWorker has even less chance of distinguishing an
extension-driven request from a "real" request, given its distance from the
point where the content is injected. Can you elaborate on the mechanism
you'd like to see?

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 6 February 2015 04:50:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC