W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2015

Re: UPGRADE: 'HTTPS' header causing compatibility issues.

From: Nottingham, Mark <mnotting@akamai.com>
Date: Tue, 30 Jun 2015 08:14:27 +0000
To: Mike West <mkwst@google.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <7725392C-F36E-4B28-A2A2-3C62FAC15AF7@akamai.com>

> On 30 Jun 2015, at 5:36 pm, Mike West <mkwst@google.com> wrote:
> Chrome 44 sends an `HTTPS: 1` header, as specced at https://w3c.github.io/webappsec/specs/upgrade/#preference. It looks like this is causing issues with some folks' servers. These are the bugs I've seen reported so far:
> * https://crbug.com/501095

> * https://crbug.com/501842

> * https://crbug.com/504357

> My vague guess is that some configurations set internal variables based on header names (e.g. `HTTPS: 1` => `$HTTPS == 1`), which is confusing the poor programs.


Given that CGI and most other sane server APIs put headers in a distinct namespace, this is a special kind of broken for those sites - I can only imagine what you can trick them into doing with a header... 

> With this in mind, I think it might be advisable to change the header name, which means diving back into the bikeshed of https://github.com/w3c/webappsec/issues/216. Think we can agree on a name this week?
> If we can't, I'll run with `TLS: 1` by royal fiat. :)

WFM; although I kinda just want to break sites like this, I understand how you might not.


> --
> Mike West <mkwst@google.com>, @mikewest
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Mark Nottingham    mnot@akamai.com   https://www.mnot.net/

Received on Tuesday, 30 June 2015 08:15:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC