- From: Peter Eckersley <pde@eff.org>
- Date: Mon, 16 Mar 2015 02:11:59 -0700
- To: Mike West <mkwst@google.com>
- Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eric Mill <eric@konklone.com>
On Tue, Mar 10, 2015 at 08:58:15AM +0100, Mike West wrote: > 3. Finally, there's the central question of risk and motivation. I'd > like to target those authors who are on the fence about migrating to HTTPS. > I expect those authors to be skeptical about their TLS configuration, and I > would like to give them a way of slowly rolling out behaviors across their > user base in order to gain confidence and fix bugs for a subset of users, > before turning on a behavior for everyone. I don't think they'll accept > anything less. > > A resource-specific opt-in that covers both content types seems to provide > a path forward on these problems (and certainly doesn't prevent user agents > from experimenting with changing behavior for blockable mixed content in > parallel). Daniel's proposal to make UPGRADE-like behaviour the default (with HSTS2 as a way to make HSTS safely enableable on the same origins) allows sites to do resource-specific, or user-specific, migration from HTTP to HTTPS if they want to. Is the main issue that you're flagging here the fact that sites can't similarly UPGRADE the optionally blockable mixed content on the resources of their choice? -- Peter Eckersley pde@eff.org Technology Projects Director Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
Received on Monday, 16 March 2015 09:12:32 UTC