- From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Date: Wed, 11 Feb 2015 14:52:31 -0500
- To: Mike West <mkwst@google.com>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
- Cc: Peter Eckersley <pde@eff.org>, Eric Mill <eric@konklone.com>, Jacob S Hoffman-Andrews <jsha@eff.org>
On Wed 2015-02-11 09:34:37 -0500, Mike West wrote: > While writing the example flow at > https://w3c.github.io/webappsec/specs/upgrade/#examples, I stumbled over > the problem of knowing when to redirect a user from an HTTP page to an > HTTPS one. If you require the upgrade mechanism we're defining in order to > give a user a reasonable experience, then you need to know whether or not > she's capable of performing the upgrade before redirection. > > I think we should explicitly support this sort of feature detection, rather > than relying on user agent sniffing*. Perhaps something like the following > HTTP request header could be sent along with every navigational request > (e.g. top-level navigations, new windows, and iframes): > > Accept-Upgrade: https > > Servers could inspect the headers of the request, and decide based upon the > presence of that header whether or not they were dealing with a client that > could transparently upgrade requests. If so, redirect to HTTPS if you're > not already there, if not, redirect to HTTP. The simplest server-side logic for this is: if Accept-Upgrade: https is present, then 302 redirect to https else serve in cleartext. If it's only sent during navigational requests, then the simplest server-side logic will fail to redirect requests for things like images or scripts that could have been redirected safely in the first place. to fix this, the server-side logic would need to be: if (this is a navigational request) and ("Accept-Upgrade: https" is present), then 302 redirect to https else serve in cleartext But it's not clear to me that the server side can actually evaluate "this is a navigational request" effectively. Is there a way? This seems like it might introduce more problems on the server side than it solves. Does CSP itself offer any feature-detection capabilities? --dkg
Received on Wednesday, 11 February 2015 19:52:56 UTC