On Mon, Mar 16, 2015 at 10:11 AM, Peter Eckersley <pde@eff.org> wrote:
> Daniel's proposal to make UPGRADE-like behaviour the default (with HSTS2
> as a way to make HSTS safely enableable on the same origins) allows
> sites to do resource-specific, or user-specific, migration from HTTP to
> HTTPS if they want to.
>
How? Without an explicit signal (from the server or the client), it's not
clear to me how you'd choose which users you could safely send to HTTPS for
a given resource. Could you spell this out in a little more detail?
(As an aside: I don't at all think that Daniel's proposal runs counter to
the UPGRADE spec. I think we can evaluate how to make aspects of that spec
default behavior in parallel to shipping it as an opt-in.)
> Is the main issue that you're flagging here the fact that sites can't
> similarly UPGRADE the optionally blockable mixed content on the
> resources of their choice?
>
The main issue I was flagging was control, and it's not clear to me how
you're proposing that it would be dealt with in an on-by-default world.
Maybe we're proposing the same thing? :)
Optionally-blockable mixed content is certainly also an important issue,
though, as it creates UI degradation, which developers very much wish to
avoid (as noted in #2 in the email you're responding to).
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)