W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: UPGRADE: Feature detection?

From: Jacob Hoffman-Andrews <jsha@eff.org>
Date: Wed, 11 Feb 2015 12:04:21 -0800
Message-ID: <54DBB5C5.1060805@eff.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
CC: Peter Eckersley <pde@eff.org>, Eric Mill <eric@konklone.com>

On 02/11/2015 11:52 AM, Daniel Kahn Gillmor wrote:
> If it's only sent during navigational requests, then the simplest
> server-side logic will fail to redirect requests for things like
> images or scripts that could have been redirected safely in the first
> place.
On upgrade-capable browsers, subresources with hardcoded HTTP URLs would
be upgraded to HTTPS by the upgrade mechanism, without ever making a
plaintext request.

On non-upgrade-capable browsers, subresources with hardcoded HTTP URLs
would first make a plaintext request. Some servers may desire to
redirect these, but I don't think it adds any security or privacy
benefit. The plaintext request has already hit the network and
potentially been observed and/or hijacked.
Received on Wednesday, 11 February 2015 20:04:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC