W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Upgrade mixed content URLs through HTTP header

From: Mike West <mkwst@google.com>
Date: Fri, 6 Feb 2015 09:12:52 +0100
Message-ID: <CAKXHy=cwpryKXN6HRwoOgg-DJgnFdjXZERz1fEZBT17ZZURjcA@mail.gmail.com>
To: John Wong <gokoproject@gmail.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Alex Russell <slightlyoff@google.com>, Joel Weinberger <jww@google.com>, Emily Stark <estark@google.com>, Jim Manico <jim.manico@owasp.org>, Ryan Sleevi <sleevi@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>, Adam Langley <agl@google.com>
On Fri, Feb 6, 2015 at 7:21 AM, John Wong <gokoproject@gmail.com> wrote:

> My 3.1415 cents basically say CSP-based reporting is very helpful even
> with the noise. I always think there should be one single reporting
> mechanism for all the security headers, rather than asking developer to
> write code and detect the UI/Browser warning and find their code is causing
> trouble. And this needs to be outside of CSP, a superset reporting
> mechanism that CSP can forward to. I tend to think of it like shipping logs
> to logstash. This can be a whole different header...

Sounds like an interesting proposal! Perhaps we could flesh it out in a
separate thread?

> Now is auto-upgrading sub-resources a good security measure. I agree with
> some of the concerns raised in Devdatta's bugzilla report (
> https://bugzilla.mozilla.org/show_bug.cgi?id=776278). I apologize if i am
> really shifting the main attention, and please excuse my inability to keep
> up with the latest development:

I think the major difference between the current proposal and Dev's bug is
the word "auto".
If the site needs to opt-into the behavior, then it's significantly less
likely that doing so will expose the kind of `http://forbes.com/` vs `
https://forbes.com/` discrepancies; those sites will simply not opt-into
the behavior.

Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 6 February 2015 08:13:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC