On Fri, Feb 6, 2015 at 7:21 AM, John Wong <gokoproject@gmail.com> wrote:
> My 3.1415 cents basically say CSP-based reporting is very helpful even
> with the noise. I always think there should be one single reporting
> mechanism for all the security headers, rather than asking developer to
> write code and detect the UI/Browser warning and find their code is causing
> trouble. And this needs to be outside of CSP, a superset reporting
> mechanism that CSP can forward to. I tend to think of it like shipping logs
> to logstash. This can be a whole different header...
>
Sounds like an interesting proposal! Perhaps we could flesh it out in a
separate thread?
> Now is auto-upgrading sub-resources a good security measure. I agree with
> some of the concerns raised in Devdatta's bugzilla report (
> https://bugzilla.mozilla.org/show_bug.cgi?id=776278). I apologize if i am
> really shifting the main attention, and please excuse my inability to keep
> up with the latest development:
>
I think the major difference between the current proposal and Dev's bug is
the word "auto".
If the site needs to opt-into the behavior, then it's significantly less
likely that doing so will expose the kind of `http://forbes.com/` vs `
https://forbes.com/` discrepancies; those sites will simply not opt-into
the behavior.
-mike
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)