W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: [UPGRADE] Consider plan B for reduced complexity?

From: Mike West <mkwst@google.com>
Date: Fri, 13 Mar 2015 07:42:55 +0100
Message-ID: <CAKXHy=d988b=f8VfgbXASCW8cQujH=4-e6WvvU_URb5RDDAmYg@mail.gmail.com>
To: "Nottingham, Mark" <mnotting@akamai.com>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Mar 13, 2015 at 5:48 AM, Nottingham, Mark <mnotting@akamai.com>
wrote:

> I think it's drawing a very long bow to think that that only applies to
> user navigation and not subresource dereferences. And, doing a quick test,
> I find that Chrome and Firefox won't load <
> http://www.mnot.net/lib/script.js> when HSTS is in use, but Safari will.
>
> So arguably Chrome and Firefox aren't conformant to HSTS -- or more
> likely, the relationship between mixed content and HSTS hasn't been
> properly specified (as the HSTS spec alludes to).
>

The relationship has been specified (see step 5 of
https://fetch.spec.whatwg.org/#fetching, which comes after MIX and CSP in
step 3).

You're seeing divergent behavior in Safari because Safari doesn't block
mixed content at all. That script will load just fine over HTTP, which
isn't behavior I'd suggest we replicate. Safari does, however, warn you
about mixed content, even if HSTS is in place.

This is in-line with every other browser's behavior (including, I believe,
IE Next). Folks from Chrome have expressed explicit reluctance to change
this behavior, and I haven't seen folks from other browsers disagree.
*shrug*


> In a perfect world, this would have been all figured out before HSTS was
> deployed. As it is, I like Dan's proposal more than
> upgrade-insecure-requests (but will continue to give feedback on the latter
> regardless).


Again, I think this comes down to the developer ergonomics of a host-wide
switch vs a representation-specific switch. The latter has some advantages,
which I've tried to outline in this thread and the other (
https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0049.html,
for example). Did none of that resonate with you?

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 13 March 2015 06:43:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC