[MIX] HSTS, SW and mixed-content from Yves Lafon on 2015-01-27 (public-webappsec@w3.org from January 2015)

From: Yves Lafon <ylafon@w3.org>
Date: Tue, 27 Jan 2015 09:49:49 -0500 (EST)
To: public-webappsec@w3.org
Message-ID: <alpine.DEB.2.00.1501270946420.32342@wnl.j3.bet>

(resending here MIX issue 157 [1], per Mike West suggestion)

Hi,
Section 4.1 talks in a Note about HSTS forcing all content in the 
'blockable' category, which is related to HSTS Ancillary Requirement 
number 1[2], but nothing in section 4.1 or in anywhere else (thinking of 
section 5) about HSTS Core Requirements number 4[3], URI scheme rewriting 
(See also HSTS URI Loading and Port Mapping[4] ).

There are a few issues here:
Is the characterization of the potentially secure/a priori insecure URLs 
done before or after applying HSTS URL rewriting? The same question goes 
if the request is handled by a ServiceWorker (and in fact anything that is 
impacting resource fetching).

Thanks,

[1] https://github.com/w3c/webappsec/issues/157
[2] https://tools.ietf.org/html/rfc6797#section-2.4.1.2
[3] https://tools.ietf.org/html/rfc6797#section-2.4.1.1
[4] https://tools.ietf.org/html/rfc6797#section-8.3

-- 
Baroula que barouleras, au tiéu toujou t'entourneras.

         ~~Yves

Received on Tuesday, 27 January 2015 14:49:50 UTC