W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Re: Testing W3C's HTTPS setup

From: Jose Kahan <jose.kahan@w3.org>
Date: Mon, 21 Sep 2015 12:28:55 +0200
To: Mike West <mkwst@google.com>
Cc: Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <20150921102855.GA7387@kiribati.inrialpes.fr>
Hi Mike,

We are in the process in deploying the hsts/https config from www-test
to our production servers. However, we got a snatch that wasn't
detected during our tests: the latest released firefox (40.0.3) doesn't
seem to apply the hsts rule before checking for mixed-content warning.

Today we had a news item with an absolute HTTP link to an image and this
revelead it. Firefox will also complain if there are absolute http
links to CSS files.

There is already a report for this issue and it is still open:

https://bugzilla.mozilla.org/show_bug.cgi?id=838395

In view of this, if there is no immediate solution we could apply, we're
going to have to roll-back the deployment and wait until it is fixed.

Any suggestions before we do this will be welcome.

Thanks,

-jose

On Mon, Sep 14, 2015 at 03:02:21PM +0200, Mike West wrote:
> 
> Ping. :) How have the tests been going over the last ~2 months? Any update
> on this work?
Received on Monday, 21 September 2015 10:29:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC