W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: [UPGRADE] Consider plan B for reduced complexity?

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 17 Mar 2015 20:05:26 +0000
Message-ID: <CAEeYn8iMQGxEtAVmh=ERJKMMjABQ7d3_hdVzGDcRT-7H8PWGyw@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mike West <mkwst@google.com>
Cc: Peter Eckersley <pde@eff.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eric Mill <eric@konklone.com>
Proxying  content on the back end is one way around this for some use
cases, but not a universal solution.

On Tue, Mar 17, 2015 at 12:39 PM Daniel Kahn Gillmor <dkg@fifthhorseman.net>
wrote:

> On Tue 2015-03-17 13:10:50 -0400, Brad Hill wrote:
> > Remember this isn't just about user agents.  A specifically motivating
> use
> > case is sites that need to access data that is only available over http
> > from legacy origins which are perhaps mostly-unmaintained and may take a
> > very long time to get with the https program.
> >
> > In such cases, it is ideal to provide an application owner a way to get
> > user-agent assistance in rewriting links automatically from http->https,
> > a-la-HSTS, but not simultaneously force entire origins to be exclusively
> > available over https, since they may need to occasionally send users to
> an
> > application loaded from http in order that it might access insecure
> > third-party data at legacy endpoints.
>
> But it *is* about user agents.  If a site needs to access data itself
> (without a user agent involved) it can do so with whatever policy it
> wants.
>
>         --dkg
>
Received on Tuesday, 17 March 2015 20:05:53 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC