On Fri, Mar 6, 2015 at 11:10 AM, Yves Lafon <ylafon@w3.org> wrote:
> On Fri, 6 Mar 2015, Mike West wrote:
>
> I've done some work on the "Upgrade Insecure Requests" spec since the FPWD
>> was published (and have a 90% functional implementation behind a flag in
>> Chrome). I'd appreciate it if folks here would take another look at the
>> document to see if we're converging on something we like:
>> https://w3c.github.io/webappsec/specs/upgrade/
>>
>> The only issue noted in the document is
>> https://github.com/w3c/webappsec/issues/184, which suggests changing
>> from a
>> value-less directive to a whitelist of hosts. I can see how that would be
>> valuable, but it seems like a complicated thing to add if we don't
>> actually
>> need it. Do folks here think it is necessary?
>>
>
> Well, if you are able to select what to upgrade on a fine-grain basis, you
> are not solving the issue, just reducing the surface of attacks (the number
> of insecure links to upgrade), in that case, they can rewrite part of the
> content to that effect. Here the goal was to mass-upgrade things you were
> not able to rewrite, so not worth the complexity of adding it, IMHO.
Alright. That's three votes for "Leave it like it is." Thanks!
> In particular, I'm CCing some W3C folks (Ted and Yves) who participated in
>> an earlier thread[1] to see if this would help them more quickly migrate
>> to
>> HTTPS. Hi! Does this help for the W3C's use-case?
>>
>
> There were a few things, this document addresses the use case of upgrading
> content that are not upgraded by HSTS, which is great!
>
Are there other barriers to migration that this doesn't address?
> I'm wondering about the "insecure content warning" on browers, so would
> this make the warning disappear in implementations (ie: is it linked to the
> enforced policies), but that's more implementation-specific.
Exactly. The intent is to avoid the insecure content warning, and that's
how Chrome's experimental implementation works. Perhaps it's worth adding a
note about that to the document...
-mike
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)