W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: UPGRADE: Feature detection?

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 11 Feb 2015 14:52:31 -0500
To: Mike West <mkwst@google.com>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
Cc: Peter Eckersley <pde@eff.org>, Eric Mill <eric@konklone.com>, Jacob S Hoffman-Andrews <jsha@eff.org>
Message-ID: <87y4o4mdj4.fsf@alice.fifthhorseman.net>
On Wed 2015-02-11 09:34:37 -0500, Mike West wrote:
> While writing the example flow at
> https://w3c.github.io/webappsec/specs/upgrade/#examples, I stumbled over
> the problem of knowing when to redirect a user from an HTTP page to an
> HTTPS one. If you require the upgrade mechanism we're defining in order to
> give a user a reasonable experience, then you need to know whether or not
> she's capable of performing the upgrade before redirection.
> I think we should explicitly support this sort of feature detection, rather
> than relying on user agent sniffing*. Perhaps something like the following
> HTTP request header could be sent along with every navigational request
> (e.g. top-level navigations, new windows, and iframes):
>     Accept-Upgrade: https
> Servers could inspect the headers of the request, and decide based upon the
> presence of that header whether or not they were dealing with a client that
> could transparently upgrade requests. If so, redirect to HTTPS if you're
> not already there, if not, redirect to HTTP.

The simplest server-side logic for this is:

 if Accept-Upgrade: https is present, then
    302 redirect to https
    serve in cleartext.

If it's only sent during navigational requests, then the simplest
server-side logic will fail to redirect requests for things like images
or scripts that could have been redirected safely in the first place.

to fix this, the server-side logic would need to be:

 if (this is a navigational request) and ("Accept-Upgrade: https" is present), then
    302 redirect to https
    serve in cleartext

But it's not clear to me that the server side can actually evaluate
"this is a navigational request" effectively.  Is there a way?

This seems like it might introduce more problems on the server side than
it solves.

Does CSP itself offer any feature-detection capabilities?

Received on Wednesday, 11 February 2015 19:52:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC