W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: UPGRADE: 'HTTPS' header causing compatibility issues.

From: Mike West <mkwst@google.com>
Date: Wed, 8 Jul 2015 20:12:04 +0200
Message-ID: <CAKXHy=eKt563BsqXzpr8h44SKha0Ehfd3azSx+amO44q9zjseg@mail.gmail.com>
To: Richard Barnes <rbarnes@mozilla.com>
Cc: Brian Smith <brian@briansmith.org>, Martin Thomson <martin.thomson@gmail.com>, Adrian Hope-Bailie <adrian@hopebailie.com>, Ilya Grigorik <igrigorik@google.com>, Anne van Kesteren <annevk@annevk.nl>, "Nottingham, Mark" <mnotting@akamai.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Ok. If no one strenuously objects by the time I wake up, I'll poke at the
spec with `upgrade-non-secure` in mind tomorrow.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Wed, Jul 8, 2015 at 7:53 PM, Richard Barnes <rbarnes@mozilla.com> wrote:

>
>
> On Wed, Jul 8, 2015 at 10:48 AM, Brian Smith <brian@briansmith.org> wrote:
>
>> On Wed, Jul 8, 2015 at 1:08 PM, Richard Barnes <rbarnes@mozilla.com>
>> wrote:
>>
>>> On Wed, Jul 8, 2015 at 9:29 AM, Martin Thomson <martin.thomson@gmail.com
>>> > wrote:
>>>
>>>> On 8 July 2015 at 07:53, Mike West <mkwst@google.com> wrote:
>>>> > `upgrade-insecure-requests: 1`, going once, going twice...
>>>>
>>>>
>>>> OK, I'll bite.  -requests seems unnecessarily verbose.  I mean, yes,
>>>> we do want to be precise and clear, but `upgrade-insecure` seems
>>>> enough; though only if you also change the CSP directive name I
>>>> suppose.
>>>>
>>>
>>> Please, let's just have the header name match the directive name.
>>>
>>
>> I agree it is better to have it match the directive name. However, I also
>> think it would be fine to rename the CSP directive to "upgrade-insecure" or
>> (better) "upgrade-non-secure".
>>
>> Consider the case of ws:// to wss:// upgrade. No "requests" are involved.
>> Also, for HTTP -> HTTPS, the mechanism also indirectly upgrades the
>> responses. So "-requests" seems not so good irrespective of the HTTP header
>> field naming issue.
>>
>
> WFM
>
>
>>
>> Cheers,
>> Brian
>>
>
>
Received on Wednesday, 8 July 2015 18:12:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC