W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: [UPGRADE]: What's left?

From: Alex Russell <slightlyoff@google.com>
Date: Fri, 6 Mar 2015 07:21:03 -0800
Message-ID: <CANr5HFUf0Y90M=cJr2CJKK471u2Cb33hp0EmiboZ+LZnR3KMnA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Yves Lafon <ylafon@w3.org>, Tanvi Vyas <tanvi@mozilla.com>, Daniel Appelquist <appelquist@gmail.com>, T Guild <ted@w3.org>, Peter Eckersley <pde@eff.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Jeff Hodges <Jeff.Hodges@kingsmountain.com>
On 5 Mar 2015 11:51 pm, "Mike West" <mkwst@google.com> wrote:
>
> I've done some work on the "Upgrade Insecure Requests" spec since the
FPWD was published (and have a 90% functional implementation behind a flag
in Chrome). I'd appreciate it if folks here would take another look at the
document to see if we're converging on something we like:
https://w3c.github.io/webappsec/specs/upgrade/
>
> The only issue noted in the document is
https://github.com/w3c/webappsec/issues/184, which suggests changing from a
value-less directive to a whitelist of hosts. I can see how that would be
valuable, but it seems like a complicated thing to add if we don't actually
need it. Do folks here think it is necessary?

No.

> In particular, I'm CCing some W3C folks (Ted and Yves) who participated
in an earlier thread[1] to see if this would help them more quickly migrate
to HTTPS. Hi! Does this help for the W3C's use-case?
>
> Basically, if what we have is good enough, I want to start shipping it in
Chrome to get developer feedback (and to get sites migrated more quickly).
If it's not good enough, I want to know how to make it better.

I love that it leads(ish) with examples.

Per Anne's thought, it'd be great if the example discussed HSTS and how
these work together to make transitioning a large site less painful. In
particular, talking about how reporting can help the site fix issues over
time (in the early examples) would help.

Also, in example 2, why is Megacorp skittish about HSTS?

> Feedback welcome. :)
>
> [1]: https://lists.w3.org/Archives/Public/www-tag/2014Nov/0031.html
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 6 March 2015 15:21:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC