W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: UPGRADE: 'HTTPS' header causing compatibility issues.

From: Mike West <mkwst@google.com>
Date: Wed, 1 Jul 2015 15:31:15 +0200
Message-ID: <CAKXHy=ffR_s=e0P7Fn819LWMkbwvGm4b54Jq1QOaC6UtGZqpDA@mail.gmail.com>
To: Adrian Hope-Bailie <adrian@hopebailie.com>
Cc: Richard Barnes <rbarnes@mozilla.com>, Ilya Grigorik <igrigorik@google.com>, Anne van Kesteren <annevk@annevk.nl>, "Nottingham, Mark" <mnotting@akamai.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jul 1, 2015 at 2:41 PM, Adrian Hope-Bailie <adrian@hopebailie.com>

> I suggest "Prefer: Transport-Security" as that is effectively what the
> client is asking for.

If `Vary` isn't an issue, then yes, something like this seems totally
reasonable: https://github.com/w3c/webappsec/issues/216 has some earlier
iterations that we threw away. Since we're painting, I'd spell it `Prefer:
secure-transport`, but whatever.

> WRT caching, it seems to me that a server that supports the upgrade will
> do a redirect when it first receives this header and should simply use
> Cache-Control : no-store in the redirect response and never use the Vary
> header anyway. It's likely that in the upgrade scenario this flow will only
> happen once per client and so the value of caching this step is low.

I defer to people who know more about the network stack than I, but yes.
This seems like a reasonable thing for servers to do.

Also, not sure why it's critical to drop a few bytes from the headers at
> the expense of making this understandable?

If this is an advertisement that goes out on every navigational request;
those bits get expensive when you multiply them by a bajillion users.
Happily, magical header compression dust can be sprinkled on HTTP/2
connections, which removes all cost from header injection (all cost!
really! mostly! kinda! not really. :( ).

Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 1 July 2015 13:32:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:49 UTC