W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2015

Re: HSTS Priming, continued.

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 11 Nov 2015 16:06:54 -0500
To: Brian Smith <brian@briansmith.org>, Crispin Cowan <crispin@microsoft.com>
Cc: Brad Hill <hillbrad@gmail.com>, Mike West <mkwst@google.com>, "public-webappsec\@w3.org" <public-webappsec@w3.org>, Richard Barnes <rbarnes@mozilla.com>, Jeff Hodges <jeff.hodges@paypal.com>, Anne van Kesteren <annevk@annevk.nl>, Adam Langley <agl@google.com>
Message-ID: <87egfwp7o1.fsf@alice.fifthhorseman.net>
On Wed 2015-11-11 14:38:55 -0500, Brian Smith wrote:
> Crispin Cowan <crispin@microsoft.com> wrote:
>
>> Dumb/newbie question: wouldn’t HTTPS upgrades be easy if only client
>> browsers tried HTTPS *first* for every resource? Then fail back to HTTP
>> if policy allows, or block if policy disallows mixed content.
>
> I agree that this sounds better to me.

fwiw, i agree with Crispin and Brian that this approach seems simplest
and cleanest.

it also avoids the subtle shift in semantics of the
Strict-Transport-Security header described in
https://mikewest.github.io/hsts-priming/#goals, and doesn't depend on
the subresource's origin having enabled HSTS at all.

The main difference between Crispin's simple proposal and HSTS priming
seems to be for subresource origins that supply different content at
https vs. http URLs and don't set HSTS.

In priming, those particular subresources will be blocked or the http
resource fetched (depending on UA policy).  In the simple proposal, for
those particular subresources, the https resource will be fetched; if
that fails, the http resource will be fetched instead.

Do we need to care about this case enough to add the complexity of
priming?  or are there other corner cases where the two approaches will
behave differently?


Note that one of the reasons that the subresource origins don't want to
serve an HSTS header is precisely because they are afraid of *other*
consequences (mixed content results) for their own content that they
haven't been able to fix yet.  Priming the UA's HSTS cache doesn't
address this concern any better than the simple approach, and the simple
approach should work even with subresource origins that can serve https
but aren't yet confident enough about setting HSTS. 

       --dkg
Received on Wednesday, 11 November 2015 21:07:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC