Re: Testing W3C's HTTPS setup from Ted Guild on 2015-10-08 (public-webappsec@w3.org from October 2015)

From: Ted Guild <ted@w3.org>
Date: Thu, 08 Oct 2015 09:46:59 -0400
To: Mike West <mkwst@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Jose Kahan <jose.kahan@w3.org>, Crispin Cowan <crispin@microsoft.com>, Rob.Trace@microsoft.com
Message-ID: <1444312019.10610.109.camel@w3.org>

The problem comes from trying to combine HSTS (site wide) and upgrade
insecure requests.

On Thu, 2015-10-08 at 15:30 +0200, Mike West wrote:
>         W3C has never previously pushed the envelope on adopting
>         standards on
>         its site that would degrade the experience for some UA.
> 
> 
> How does this migration "degrade the experience for some UA"? Does the
> signaling header not give you enough detail to know when a user agent
> can be upgraded, and when it can't?
> 
> 
>         No specific date set yet but likely November.  Deployment
>         timing can
>         also be influenced to coordinate with other sites.
> 
> 
> Would it be possible to redirect particular resources before November?
> Every spec this group has published in TR space, for example? :) Those
> resources can be upgraded for all users without mixed content issues. 

-- 
Ted Guild <ted@w3.org>
W3C Systems Team
http://www.w3.org

Received on Thursday, 8 October 2015 13:47:09 UTC