On 5 Mar 2015 11:51 pm, "Mike West" <mkwst@google.com> wrote: > > I've done some work on the "Upgrade Insecure Requests" spec since the FPWD was published (and have a 90% functional implementation behind a flag in Chrome). I'd appreciate it if folks here would take another look at the document to see if we're converging on something we like: https://w3c.github.io/webappsec/specs/upgrade/ > > The only issue noted in the document is https://github.com/w3c/webappsec/issues/184, which suggests changing from a value-less directive to a whitelist of hosts. I can see how that would be valuable, but it seems like a complicated thing to add if we don't actually need it. Do folks here think it is necessary? No. > In particular, I'm CCing some W3C folks (Ted and Yves) who participated in an earlier thread[1] to see if this would help them more quickly migrate to HTTPS. Hi! Does this help for the W3C's use-case? > > Basically, if what we have is good enough, I want to start shipping it in Chrome to get developer feedback (and to get sites migrated more quickly). If it's not good enough, I want to know how to make it better. I love that it leads(ish) with examples. Per Anne's thought, it'd be great if the example discussed HSTS and how these work together to make transitioning a large site less painful. In particular, talking about how reporting can help the site fix issues over time (in the early examples) would help. Also, in example 2, why is Megacorp skittish about HSTS? > Feedback welcome. :) > > [1]: https://lists.w3.org/Archives/Public/www-tag/2014Nov/0031.html > > -- > Mike West <mkwst@google.com>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 6 March 2015 15:21:33 UTC