W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

Re: Testing W3C's HTTPS setup

From: Mike West <mkwst@google.com>
Date: Thu, 8 Oct 2015 15:56:57 +0200
Message-ID: <CAKXHy=eOHBUs1kARUdkoScNBvVqqhW59pJZ=8R0VKa5N87EwTg@mail.gmail.com>
To: T Guild <ted@w3.org>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Jose Kahan <jose.kahan@w3.org>, Crispin Cowan <crispin@microsoft.com>, Rob.Trace@microsoft.com
On Thu, Oct 8, 2015 at 3:46 PM, Ted Guild <ted@w3.org> wrote:

> The problem comes from trying to combine HSTS (site wide) and upgrade
> insecure requests.
>

1. This is something that the signaling header is supposed to help with.
That is, if you know that your site requires the upgrade mechanism, then
you don't deliver an HSTS header unless that signal is present. That's item
#4 in the spec's recommendations:
https://w3c.github.io/webappsec-upgrade-insecure-requests/#recommendations.

2. Why is HSTS a requirement? It is certainly excellent when you're ready
to deploy it, but it's easily decoupled from the initial migration.

-mike
Received on Thursday, 8 October 2015 13:57:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC