W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Mike West <mkwst@google.com>
Date: Fri, 6 Feb 2015 06:57:34 +0100
Message-ID: <CAKXHy=dJuatz1oPOYq+XjNMu3Jb8qundzZLg1JcC4b352cxtxA@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>, Alex Russell <slightlyoff@google.com>
Cc: Joel Weinberger <jww@google.com>, Emily Stark <estark@google.com>, Jim Manico <jim.manico@owasp.org>, Ryan Sleevi <sleevi@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>, Adam Langley <agl@google.com>
On Fri, Feb 6, 2015 at 6:39 AM, Devdatta Akhawe <dev.akhawe@gmail.com>

> 2) how to upgrade it to https (possibly via a directive
or via JS). I was focusing on the latter when talking about
> ServiceWorkers. I guess it doesn't help in cases where you don't
> actually support HTTPS in some obscure origin and thus can't upgrade
> automatically.

We currently do mixed content (and CSP) checks before sending the request
to the Service Worker. I'm not sure it would be a good idea to restructure
that to wait for the SW to potentially rewrite the request. Also, the
timing seems problematic. You can't register a SW until you're on an HTTPS
page, at which point it't too late to start upgrading its requests.

I think a CSP-based solution has some advantages here, but I guess I
wouldn't be opposed to explaining it in terms of service workers if there's
a good way of doing so. +Alex, who probably has opinions about SW's


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 6 February 2015 05:58:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC