Re: UPGRADE: Feature detection?

On Wed 2015-02-11 09:34:37 -0500, Mike West wrote:
> While writing the example flow at
> https://w3c.github.io/webappsec/specs/upgrade/#examples, I stumbled over
> the problem of knowing when to redirect a user from an HTTP page to an
> HTTPS one. If you require the upgrade mechanism we're defining in order to
> give a user a reasonable experience, then you need to know whether or not
> she's capable of performing the upgrade before redirection.
>
> I think we should explicitly support this sort of feature detection, rather
> than relying on user agent sniffing*. Perhaps something like the following
> HTTP request header could be sent along with every navigational request
> (e.g. top-level navigations, new windows, and iframes):
>
>     Accept-Upgrade: https
>
> Servers could inspect the headers of the request, and decide based upon the
> presence of that header whether or not they were dealing with a client that
> could transparently upgrade requests. If so, redirect to HTTPS if you're
> not already there, if not, redirect to HTTP.

The simplest server-side logic for this is:

 if Accept-Upgrade: https is present, then
    302 redirect to https
 else
    serve in cleartext.

If it's only sent during navigational requests, then the simplest
server-side logic will fail to redirect requests for things like images
or scripts that could have been redirected safely in the first place.

to fix this, the server-side logic would need to be:

 if (this is a navigational request) and ("Accept-Upgrade: https" is present), then
    302 redirect to https
 else
    serve in cleartext

But it's not clear to me that the server side can actually evaluate
"this is a navigational request" effectively.  Is there a way?

This seems like it might introduce more problems on the server side than
it solves.

Does CSP itself offer any feature-detection capabilities?

   --dkg

Received on Wednesday, 11 February 2015 19:52:56 UTC