W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: UPGRADE: Goals? (was Re: CfC to publish FPWD of "Upgrade Insecure Resources"; Deadline Feb 17th.)

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 11 Feb 2015 14:33:59 -0500
To: Brad Hill <hillbrad@gmail.com>, Mike West <mkwst@google.com>
Cc: Jim Manico <jim.manico@owasp.org>, Crispin Cowan <crispin@microsoft.com>, "public-webappsec\@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, Peter Eckersley <pde@eff.org>, yan zhu <yan@mit.edu>
Message-ID: <871tlwnsyg.fsf@alice.fifthhorseman.net>
On Wed 2015-02-11 13:24:21 -0500, Brad Hill wrote:
> Thanks, Mike, that looks good.   Should we promote the following note (or
> new language to indicate the same) from section 4.1 to the
> goals/introduction?
>
> Note: We allow only same-origin upgrades in order to ensure that
> navigations between pages of a single site that has opted-into the upgrade
> behavior remain on HTTPS, regardless of the hard-coded values in <a> tags.
> Performing upgrades for third-party resources brings a significantly higher
> potential for breakage, so we’re avoiding it for the moment.

This note is intended to be limited to navigation upgrades, right?

In that case, the last sentense should begin with something like:

 Performing upgrades for navigations to third-party resources...
                         ^^^^^^^^^^^^^^

Otherwise it implies that when https://example.com/ has an <img
src="http://example.org/"/> this feature won't have an effect, which
would miss the point.

      --dkg
Received on Wednesday, 11 February 2015 19:34:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC