Re: UPGRADE: 'HTTPS' header causing compatibility issues. from Tanvi Vyas on 2015-07-08 (public-webappsec@w3.org from July 2015)

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Wed, 08 Jul 2015 14:56:50 -0700
To: Mike West <mkwst@google.com>, Richard Barnes <rbarnes@mozilla.com>
CC: Brian Smith <brian@briansmith.org>, Martin Thomson <martin.thomson@gmail.com>, Adrian Hope-Bailie <adrian@hopebailie.com>, Ilya Grigorik <igrigorik@google.com>, Anne van Kesteren <annevk@annevk.nl>, "Nottingham, Mark" <mnotting@akamai.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>
Message-ID: <559D9CA2.3090901@mozilla.com>

Firefox's implementation is about to land, so if we are changing 
directive names it would be nice to know sooner than later.  Has 
Chrome's already landed?  I don't want user agents to have to maintain 
support for both upgrade-insecure-requests and upgrade-insecure directives.

On 7/8/15 11:12 AM, Mike West wrote:
> Ok. If no one strenuously objects by the time I wake up, I'll poke at 
> the spec with `upgrade-non-secure` in mind tomorrow.
>
> -mike
>
> --
> Mike West <mkwst@google.com <mailto:mkwst@google.com>>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, 
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der 
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine 
> Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Wed, Jul 8, 2015 at 7:53 PM, Richard Barnes <rbarnes@mozilla.com 
> <mailto:rbarnes@mozilla.com>> wrote:
>
>
>
>     On Wed, Jul 8, 2015 at 10:48 AM, Brian Smith <brian@briansmith.org
>     <mailto:brian@briansmith.org>> wrote:
>
>         On Wed, Jul 8, 2015 at 1:08 PM, Richard Barnes
>         <rbarnes@mozilla.com <mailto:rbarnes@mozilla.com>> wrote:
>
>             On Wed, Jul 8, 2015 at 9:29 AM, Martin Thomson
>             <martin.thomson@gmail.com
>             <mailto:martin.thomson@gmail.com>> wrote:
>
>                 On 8 July 2015 at 07:53, Mike West <mkwst@google.com
>                 <mailto:mkwst@google.com>> wrote:
>                 > `upgrade-insecure-requests: 1`, going once, going
>                 twice...
>
>
>                 OK, I'll bite. -requests seems unnecessarily verbose.
>                 I mean, yes,
>                 we do want to be precise and clear, but
>                 `upgrade-insecure` seems
>                 enough; though only if you also change the CSP
>                 directive name I
>                 suppose.
>
>
>             Please, let's just have the header name match the
>             directive name.
>
>
>         I agree it is better to have it match the directive name.
>         However, I also think it would be fine to rename the CSP
>         directive to "upgrade-insecure" or (better) "upgrade-non-secure".
>
>         Consider the case of ws:// to wss:// upgrade. No "requests"
>         are involved. Also, for HTTP -> HTTPS, the mechanism also
>         indirectly upgrades the responses. So "-requests" seems not so
>         good irrespective of the HTTP header field naming issue.
>
>
>     WFM
>
>
>         Cheers,
>         Brian
>
>
>

Received on Wednesday, 8 July 2015 21:57:25 UTC