W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: UPGRADE: Feature detection?

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 12 Feb 2015 17:26:41 +0100
Message-ID: <54DCD441.3040101@gmx.de>
To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
CC: Peter Eckersley <pde@eff.org>, Eric Mill <eric@konklone.com>, Jacob S Hoffman-Andrews <jsha@eff.org>
On 2015-02-11 15:34, Mike West wrote:
> While writing the example flow at
> https://w3c.github.io/webappsec/specs/upgrade/#examples, I stumbled over
> the problem of knowing when to redirect a user from an HTTP page to an
> HTTPS one. If you require the upgrade mechanism we're defining in order
> to give a user a reasonable experience, then you need to know whether or
> not she's capable of performing the upgrade before redirection.
>
> I think we should explicitly support this sort of feature detection,
> rather than relying on user agent sniffing*. Perhaps something like the
> following HTTP request header could be sent along with every
> navigational request (e.g. top-level navigations, new windows, and iframes):
>
>      Accept-Upgrade: https
> ...

Nitpicking on the field name; how about:

        Prefer: encrypted

(that at least avoids a new header field name, and already has a 
well-defined syntax and extensibility model).

Best regards, Julian
Received on Thursday, 12 February 2015 16:27:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC