W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: [UPGRADE]: What's left?

From: Peter Eckersley <pde@eff.org>
Date: Sat, 7 Mar 2015 02:36:30 -0800
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Jeff Hodges <Jeff.Hodges@kingsmountain.com>, Tanvi Vyas <tanvi@mozilla.com>, Yves Lafon <ylafon@w3.org>, T Guild <ted@w3.org>, Daniel Appelquist <appelquist@gmail.com>, Alex Russell <slightlyoff@google.com>, Ilya Grigorik <igrigorik@google.com>, Yoav Weiss <yoav@yoav.ws>
Message-ID: <20150307103630.GX7934@eff.org>
On Fri, Mar 06, 2015 at 07:43:55PM +0100, Mike West wrote:

> I don't understand why HSTS needs to be conditionally set. Presumably
> you're only redirecting "safely upgradable requests" to HTTPS if you're
> this spec's target audience.

It's very important that HSTS be conditionally settable, because even if
the site itself only conditionally redirects to HTTPS, inbound links
from other sites will send old clients to the HTTPS site, and they'll
pick up the HSTS header that way.

Now that I think about it, some sites will also need to serve
conditional downgrade redirects from HTTPS -> HTTP if the header is
absent, in order to preempt mixed content breakage :(

-- 
Peter Eckersley                            pde@eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993
Received on Saturday, 7 March 2015 10:37:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC