W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: UPGRADE: Feature detection?

From: Mike West <mkwst@google.com>
Date: Thu, 12 Feb 2015 08:35:57 +0100
Message-ID: <CAKXHy=fY7rB794+dd2O5q3-Rf-CBOGf3kQQFN9V2SUo=w-qUDw@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Peter Eckersley <pde@eff.org>, Eric Mill <eric@konklone.com>, Jacob S Hoffman-Andrews <jsha@eff.org>
On Thu, Feb 12, 2015 at 7:57 AM, Martin Thomson
<martin.thomson@gmail.com> wrote:
> On 12 February 2015 at 17:51, Mike West <mkwst@google.com> wrote:
>> 2. Moreover, there's no harm in redirecting _all_ non-HTML/non-Worker
>> requests to HTTPS, is there? That would simplify server-side logic. :)
>
>
> That's a bold assertion.  So, for resource fetching with GET, you can
> cause no harm on the protocol end, so go for broke.

Sure.

> You can only do that if the method is safe and idempotent, but I think
> that is as far as you intended to go anyway.

The upgrade strawman we're discussing intends to act on form
submissions as well. To what extent do you expect upgrading from HTTP
to HTTPS for non-idempotent methods to be dangerous?

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine
Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 12 February 2015 07:36:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC