Re: UPGRADE: 'HTTPS' header causing compatibility issues.

On Wed, Jul 8, 2015 at 1:08 PM, Richard Barnes <rbarnes@mozilla.com> wrote:

> On Wed, Jul 8, 2015 at 9:29 AM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
>
>> On 8 July 2015 at 07:53, Mike West <mkwst@google.com> wrote:
>> > `upgrade-insecure-requests: 1`, going once, going twice...
>>
>>
>> OK, I'll bite.  -requests seems unnecessarily verbose.  I mean, yes,
>> we do want to be precise and clear, but `upgrade-insecure` seems
>> enough; though only if you also change the CSP directive name I
>> suppose.
>>
>
> Please, let's just have the header name match the directive name.
>

I agree it is better to have it match the directive name. However, I also
think it would be fine to rename the CSP directive to "upgrade-insecure" or
(better) "upgrade-non-secure".

Consider the case of ws:// to wss:// upgrade. No "requests" are involved.
Also, for HTTP -> HTTPS, the mechanism also indirectly upgrades the
responses. So "-requests" seems not so good irrespective of the HTTP header
field naming issue.

Cheers,
Brian

Received on Wednesday, 8 July 2015 17:49:12 UTC