- From: Nottingham, Mark <mnotting@akamai.com>
- Date: Tue, 30 Jun 2015 08:14:27 +0000
- To: Mike West <mkwst@google.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
> On 30 Jun 2015, at 5:36 pm, Mike West <mkwst@google.com> wrote: > > Chrome 44 sends an `HTTPS: 1` header, as specced at https://w3c.github.io/webappsec/specs/upgrade/#preference. It looks like this is causing issues with some folks' servers. These are the bugs I've seen reported so far: > > * https://crbug.com/501095 > * https://crbug.com/501842 > * https://crbug.com/504357 > > My vague guess is that some configurations set internal variables based on header names (e.g. `HTTPS: 1` => `$HTTPS == 1`), which is confusing the poor programs. Nice! Given that CGI and most other sane server APIs put headers in a distinct namespace, this is a special kind of broken for those sites - I can only imagine what you can trick them into doing with a header... > With this in mind, I think it might be advisable to change the header name, which means diving back into the bikeshed of https://github.com/w3c/webappsec/issues/216. Think we can agree on a name this week? > > If we can't, I'll run with `TLS: 1` by royal fiat. :) WFM; although I kinda just want to break sites like this, I understand how you might not. Cheers, > > -- > Mike West <mkwst@google.com>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) -- Mark Nottingham mnot@akamai.com https://www.mnot.net/
Received on Tuesday, 30 June 2015 08:15:00 UTC