W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: [UPGRADE] Consider plan B for reduced complexity?

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Tue, 17 Mar 2015 15:39:22 -0400
To: Brad Hill <hillbrad@gmail.com>, Mike West <mkwst@google.com>
Cc: Peter Eckersley <pde@eff.org>, "public-webappsec\@w3.org" <public-webappsec@w3.org>, Eric Mill <eric@konklone.com>
Message-ID: <87twxjo1lh.fsf@alice.fifthhorseman.net>
On Tue 2015-03-17 13:10:50 -0400, Brad Hill wrote:
> Remember this isn't just about user agents.  A specifically motivating use
> case is sites that need to access data that is only available over http
> from legacy origins which are perhaps mostly-unmaintained and may take a
> very long time to get with the https program.
>
> In such cases, it is ideal to provide an application owner a way to get
> user-agent assistance in rewriting links automatically from http->https,
> a-la-HSTS, but not simultaneously force entire origins to be exclusively
> available over https, since they may need to occasionally send users to an
> application loaded from http in order that it might access insecure
> third-party data at legacy endpoints.

But it *is* about user agents.  If a site needs to access data itself
(without a user agent involved) it can do so with whatever policy it
wants.

        --dkg
Received on Tuesday, 17 March 2015 19:39:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC