W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: [UPGRADE]: What's left?

From: Peter Eckersley <pde@eff.org>
Date: Fri, 6 Mar 2015 09:49:46 -0800
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Jeff Hodges <Jeff.Hodges@kingsmountain.com>, Tanvi Vyas <tanvi@mozilla.com>, Yves Lafon <ylafon@w3.org>, T Guild <ted@w3.org>, Daniel Appelquist <appelquist@gmail.com>, Alex Russell <slightlyoff@google.com>
Message-ID: <20150306174946.GQ7934@eff.org>
Dkg and I happen to be physically colocated and have been looking
through the draft.  

The first significant issue we spotted is that the client will
(unfortunately) need to keep signalling whether or not it supports this
mechanisms even over HTTPS requests.  The reason is that in many cases
HSTS needs to be set conditionally on this feature.

We've put together a pull request for this change:


Unfortunately that does mean this mechanism is going to add a lot of
bytes on the wire, and we should consider mitigations like shortening
the Prefer: header, or only sending the Prefer: header for magic HTTPS
URLs like favicon.ico (since it's just going to be there to refresh
HSTS once every so often).

On Fri, Mar 06, 2015 at 08:51:38AM +0100, Mike West wrote:
> I've done some work on the "Upgrade Insecure Requests" spec since the FPWD
> was published (and have a 90% functional implementation behind a flag in
> Chrome). I'd appreciate it if folks here would take another look at the
> document to see if we're converging on something we like:
> https://w3c.github.io/webappsec/specs/upgrade/
> The only issue noted in the document is
> https://github.com/w3c/webappsec/issues/184, which suggests changing from a
> value-less directive to a whitelist of hosts. I can see how that would be
> valuable, but it seems like a complicated thing to add if we don't actually
> need it. Do folks here think it is necessary?
> In particular, I'm CCing some W3C folks (Ted and Yves) who participated in
> an earlier thread[1] to see if this would help them more quickly migrate to
> HTTPS. Hi! Does this help for the W3C's use-case?
> Basically, if what we have is good enough, I want to start shipping it in
> Chrome to get developer feedback (and to get sites migrated more quickly).
> If it's not good enough, I want to know how to make it better.
> Feedback welcome. :)
> [1]: https://lists.w3.org/Archives/Public/www-tag/2014Nov/0031.html
> --
> Mike West <mkwst@google.com>, @mikewest
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Peter Eckersley                            pde@eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993
Received on Friday, 6 March 2015 17:50:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:47 UTC