Re: Testing W3C's HTTPS setup from Mike West on 2015-10-08 (public-webappsec@w3.org from October 2015)

From: Mike West <mkwst@google.com>
Date: Thu, 8 Oct 2015 15:56:57 +0200
To: T Guild <ted@w3.org>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Jose Kahan <jose.kahan@w3.org>, Crispin Cowan <crispin@microsoft.com>, Rob.Trace@microsoft.com
Message-ID: <CAKXHy=eOHBUs1kARUdkoScNBvVqqhW59pJZ=8R0VKa5N87EwTg@mail.gmail.com>

On Thu, Oct 8, 2015 at 3:46 PM, Ted Guild <ted@w3.org> wrote:

> The problem comes from trying to combine HSTS (site wide) and upgrade
> insecure requests.
>

1. This is something that the signaling header is supposed to help with.
That is, if you know that your site requires the upgrade mechanism, then
you don't deliver an HSTS header unless that signal is present. That's item
#4 in the spec's recommendations:
https://w3c.github.io/webappsec-upgrade-insecure-requests/#recommendations.

2. Why is HSTS a requirement? It is certainly excellent when you're ready
to deploy it, but it's easily decoupled from the initial migration.

-mike

Received on Thursday, 8 October 2015 13:57:53 UTC