W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 5 Feb 2015 21:39:31 -0800
Message-ID: <CAPfop_0ypR3Qwg6eJ8GRbwr3wP77HCyBU_buyiRmzL9tpFcF5A@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Joel Weinberger <jww@google.com>, Emily Stark <estark@google.com>, Jim Manico <jim.manico@owasp.org>, Ryan Sleevi <sleevi@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>, Adam Langley <agl@google.com>
>
> I believe that ServiceWorker has even less chance of distinguishing an
> extension-driven request from a "real" request, given its distance from the
> point where the content is injected. Can you elaborate on the mechanism
> you'd like to see?

hmm..I got the sense that there were two different (a bit entangled)
discussions in this email. 1) How to detect places where a site is
using http and 2) how to upgrade it to https (possibly via a directive
or via JS). I was focusing on the latter when talking about
ServiceWorkers. I guess it doesn't help in cases where you don't
actually support HTTPS in some obscure origin and thus can't upgrade
automatically.

cheers
Dev

> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft:
> Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 6 February 2015 05:40:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC