- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 12 Feb 2015 17:26:41 +0100
- To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- CC: Peter Eckersley <pde@eff.org>, Eric Mill <eric@konklone.com>, Jacob S Hoffman-Andrews <jsha@eff.org>
On 2015-02-11 15:34, Mike West wrote: > While writing the example flow at > https://w3c.github.io/webappsec/specs/upgrade/#examples, I stumbled over > the problem of knowing when to redirect a user from an HTTP page to an > HTTPS one. If you require the upgrade mechanism we're defining in order > to give a user a reasonable experience, then you need to know whether or > not she's capable of performing the upgrade before redirection. > > I think we should explicitly support this sort of feature detection, > rather than relying on user agent sniffing*. Perhaps something like the > following HTTP request header could be sent along with every > navigational request (e.g. top-level navigations, new windows, and iframes): > > Accept-Upgrade: https > ... Nitpicking on the field name; how about: Prefer: encrypted (that at least avoids a new header field name, and already has a well-defined syntax and extensibility model). Best regards, Julian
Received on Thursday, 12 February 2015 16:27:40 UTC