I'm looking at the spec again, and "insecure" -> "non-secure" is a slightly
more sweeping change than I expected, given that we use the term in one way
or another in practically every webappsec spec. How strongly do you folks
(Brian, Martin, Richard) feel about the distinction? :)
-mike
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
On Thu, Jul 9, 2015 at 12:06 AM, Richard Barnes <rbarnes@mozilla.com> wrote:
> On Wed, Jul 8, 2015 at 2:56 PM, Tanvi Vyas <tanvi@mozilla.com> wrote:
>
>> Firefox's implementation is about to land, so if we are changing
>> directive names it would be nice to know sooner than later. Has Chrome's
>> already landed? I don't want user agents to have to maintain support for
>> both upgrade-insecure-requests and upgrade-insecure directives.
>>
>
> "upgrade-non-secure", I thought.
>
>
>>
>>
>> On 7/8/15 11:12 AM, Mike West wrote:
>>
>> Ok. If no one strenuously objects by the time I wake up, I'll poke at the
>> spec with `upgrade-non-secure` in mind tomorrow.
>>
>> -mike
>>
>> --
>> Mike West <mkwst@google.com>, @mikewest
>>
>> Google Germany GmbH, Dienerstrasse 12, 80331 München,
>> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
>> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
>> Flores
>> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>>
>> On Wed, Jul 8, 2015 at 7:53 PM, Richard Barnes <rbarnes@mozilla.com>
>> wrote:
>>
>>>
>>>
>>> On Wed, Jul 8, 2015 at 10:48 AM, Brian Smith <brian@briansmith.org>
>>> wrote:
>>>
>>>> On Wed, Jul 8, 2015 at 1:08 PM, Richard Barnes <rbarnes@mozilla.com>
>>>> wrote:
>>>>
>>>>> On Wed, Jul 8, 2015 at 9:29 AM, Martin Thomson <
>>>>> martin.thomson@gmail.com> wrote:
>>>>>
>>>>>> On 8 July 2015 at 07:53, Mike West <mkwst@google.com> wrote:
>>>>>> > `upgrade-insecure-requests: 1`, going once, going twice...
>>>>>>
>>>>>>
>>>>>> OK, I'll bite. -requests seems unnecessarily verbose. I mean, yes,
>>>>>> we do want to be precise and clear, but `upgrade-insecure` seems
>>>>>> enough; though only if you also change the CSP directive name I
>>>>>> suppose.
>>>>>>
>>>>>
>>>>> Please, let's just have the header name match the directive name.
>>>>>
>>>>
>>>> I agree it is better to have it match the directive name. However, I
>>>> also think it would be fine to rename the CSP directive to
>>>> "upgrade-insecure" or (better) "upgrade-non-secure".
>>>>
>>>> Consider the case of ws:// to wss:// upgrade. No "requests" are
>>>> involved. Also, for HTTP -> HTTPS, the mechanism also indirectly upgrades
>>>> the responses. So "-requests" seems not so good irrespective of the HTTP
>>>> header field naming issue.
>>>>
>>>
>>> WFM
>>>
>>>
>>>>
>>>> Cheers,
>>>> Brian
>>>>
>>>
>>>
>>
>>
>