W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: [UPGRADE]: What's left?

From: Mike West <mkwst@google.com>
Date: Mon, 16 Mar 2015 09:25:48 +0100
Message-ID: <CAKXHy=cXUoKXwJr0ZojcovLGB=6LKcaDepDWQyvfVGXbNX0+zA@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Ilya Grigorik <igrigorik@google.com>, Martin Thomson <martin.thomson@gmail.com>, Brad Hill <hillbrad@gmail.com>, Eric Mill <eric@konklone.com>, Peter Eckersley <pde@eff.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Jeff Hodges <Jeff.Hodges@kingsmountain.com>, Tanvi Vyas <tanvi@mozilla.com>, Yves Lafon <ylafon@w3.org>, T Guild <ted@w3.org>, Daniel Appelquist <appelquist@gmail.com>, Alex Russell <slightlyoff@google.com>, Yoav Weiss <yoav@yoav.ws>, Mark Nottingham <mnot@mnot.net>
On Mon, Mar 16, 2015 at 7:26 AM, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
wrote:

> The 200+implicit redirect case is only going to be implemented by sites
> that can't go ahead and do a 302 redirect to https in the first place.
>

Right. That's basically the use case I'm targeting here: servers that
require the upgrade mechanism, because they haven't done the work to
support every browser right away.


> the oubound Prefer: on every http:// (and https://, if we want to signal
> safety for HSTS) has to be done by the client on *every* navigational
> request, even for sites that have already done a full migration.
>
> As a stepping stone, the 200+implicit redirect seems like something most
> parts of the web could get rid of eventually, whereas the Prefer: header
> on all outbound navigations seems like permanent cruft in the stack.
>

I agree with this sentiment.

The spec currently limits the `Prefer` header's impact by limiting it to
insecure transport (with the assumption that we'll eventually all be secure
all the time, and therefore that the header will simply vanish over time).
I'd be perfectly happy to drop it entirely, as proposed in
https://github.com/w3c/webappsec/issues/212. I'm less enthused about
expanding it's scope, as proposed in
https://github.com/w3c/webappsec/pull/209.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 16 March 2015 08:26:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC