W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Re: Testing W3C's HTTPS setup

From: Mike West <mkwst@google.com>
Date: Mon, 21 Sep 2015 12:59:46 +0200
Message-ID: <CAKXHy=edqMJ5tG8ry0B9ueyrugJFX9pz_Z89W20mH15qEqdFPQ@mail.gmail.com>
To: Jose Kahan <jose.kahan@w3.org>
Cc: Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Sep 21, 2015 at 12:28 PM, Jose Kahan <jose.kahan@w3.org> wrote:

> We are in the process in deploying the hsts/https config from www-test
> to our production servers. However, we got a snatch that wasn't
> detected during our tests: the latest released firefox (40.0.3) doesn't
> seem to apply the hsts rule before checking for mixed-content warning.

I don't think that any browser applies HSTS before mixed content (see steps
4 and 6 of https://fetch.spec.whatwg.org/#main-fetch).

> Today we had a news item with an absolute HTTP link to an image and this
> revelead it. Firefox will also complain if there are absolute http
> links to CSS files.

Is it possible that you're relying on `Upgrade-Insecure-Requests`, and that
you're using a version of Firefox which doesn't yet support it? I think
they're shipping in 42.

> In view of this, if there is no immediate solution we could apply, we're
> going to have to roll-back the deployment and wait until it is fixed.

Wouldn't it be better to fix the absolute HTTP links? That would solve the
problem for Firefox, and browsers like Safari that don't support the
upgrade feature at all.

Received on Monday, 21 September 2015 11:00:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:51 UTC