- From: Ted Guild <ted@w3.org>
- Date: Thu, 08 Oct 2015 09:08:15 -0400
- To: Mike West <mkwst@google.com>, Brad Hill <hillbrad@gmail.com>
- Cc: public-webappsec@w3.org, Wendy Seltzer <wseltzer@w3.org>, Jose Kahan <jose.kahan@w3.org>
- Message-ID: <1444309695.10610.106.camel@w3.org>
Here is an update of internal discussions and how the WG can help. First of all thank you for moving the spec to CR. That gives us more legitimacy in moving our site to HSTS+Upgrade Insecure Requests. Given how few browsers currently support this and Firefox 42 will in early November, we are inclined to wait a little longer as it gives us two browser implementations on every major OS. We would not want to make such a disruptive move before TPAC. http://caniuse.com/#feat=upgradeinsecurerequests We are encouraging other browser vendors to implement this and would like the WG to as well. Do you have any additional feedback or knowledge of browser support timelines you could share with us? W3C has never previously pushed the envelope on adopting standards on its site that would degrade the experience for some UA. We are willing to for this because we feel it can have a broad impact in increasing end to end encryption on the web. We would like other large and complex site operators, especially those with larger audiences than us, to follow suit. Here too the WG can help and see if any such operators among them are willing to join us in this move. No specific date set yet but likely November. Deployment timing can also be influenced to coordinate with other sites. Brad we would like to at least cite your writeup in an article we will write to promote this. It explains the HTTPS upgrade conundrum for site operators very well and would welcome your and other WG input. http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html > Can you help me understand your expectations around HSTS and > `upgrade-insecure-requests`? In particular, it's not at all clear to me > what was happening in Firefox that wasn't happening in other browsers that > don't support the header (which, presumably, you also want to support on > the website). -- Ted Guild <ted@w3.org> W3C Systems Team http://www.w3.org
Received on Thursday, 8 October 2015 13:08:20 UTC