W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] HSTS, SW and mixed-content

From: Mike West <mkwst@google.com>
Date: Tue, 27 Jan 2015 16:08:02 +0100
Message-ID: <CAKXHy=dRDWEcfTE2S1wMLZk5DBNzWqcQhChDgC48GtGX8QRWmQ@mail.gmail.com>
To: Yves Lafon <ylafon@w3.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Copy/pasting from the GitHub issue:

On Tue, Jan 27, 2015 at 3:49 PM, Yves Lafon <ylafon@w3.org> wrote:

>
> Is the characterization of the potentially secure/a priori insecure URLs
> done before or after applying HSTS URL rewriting?


HSTS happens after mixed content checking. We've had a number of threads on
this, and there are reasonable arguments on both sides, but this is, I
think, where we've come down pretty solidly.
https://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0306.html and
related is the most recent, most relevant thread.


> The same question goes if the request is handled by a ServiceWorker (and
> in fact anything that is impacting resource fetching).
>

Service workers happen after an initial round of mixed content checking.
That is, we see a request for X, we evaluate it against mixed content
checking at the top of Fetch, and then, if it passes, it moves into the
service worker for processing (where it will again be subject to mixed
content checks).

Thanks!

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 27 January 2015 15:08:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC