- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 12 Feb 2015 17:26:41 +0100
- To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- CC: Peter Eckersley <pde@eff.org>, Eric Mill <eric@konklone.com>, Jacob S Hoffman-Andrews <jsha@eff.org>
On 2015-02-11 15:34, Mike West wrote:
> While writing the example flow at
> https://w3c.github.io/webappsec/specs/upgrade/#examples, I stumbled over
> the problem of knowing when to redirect a user from an HTTP page to an
> HTTPS one. If you require the upgrade mechanism we're defining in order
> to give a user a reasonable experience, then you need to know whether or
> not she's capable of performing the upgrade before redirection.
>
> I think we should explicitly support this sort of feature detection,
> rather than relying on user agent sniffing*. Perhaps something like the
> following HTTP request header could be sent along with every
> navigational request (e.g. top-level navigations, new windows, and iframes):
>
> Accept-Upgrade: https
> ...
Nitpicking on the field name; how about:
Prefer: encrypted
(that at least avoids a new header field name, and already has a
well-defined syntax and extensibility model).
Best regards, Julian
Received on Thursday, 12 February 2015 16:27:40 UTC