I've done some work on the "Upgrade Insecure Requests" spec since the FPWD
was published (and have a 90% functional implementation behind a flag in
Chrome). I'd appreciate it if folks here would take another look at the
document to see if we're converging on something we like:
https://w3c.github.io/webappsec/specs/upgrade/
The only issue noted in the document is
https://github.com/w3c/webappsec/issues/184, which suggests changing from a
value-less directive to a whitelist of hosts. I can see how that would be
valuable, but it seems like a complicated thing to add if we don't actually
need it. Do folks here think it is necessary?
In particular, I'm CCing some W3C folks (Ted and Yves) who participated in
an earlier thread[1] to see if this would help them more quickly migrate to
HTTPS. Hi! Does this help for the W3C's use-case?
Basically, if what we have is good enough, I want to start shipping it in
Chrome to get developer feedback (and to get sites migrated more quickly).
If it's not good enough, I want to know how to make it better.
Feedback welcome. :)
[1]: https://lists.w3.org/Archives/Public/www-tag/2014Nov/0031.html
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)