W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Re: Testing W3C's HTTPS setup

From: Mike West <mkwst@google.com>
Date: Mon, 21 Sep 2015 12:59:46 +0200
Message-ID: <CAKXHy=edqMJ5tG8ry0B9ueyrugJFX9pz_Z89W20mH15qEqdFPQ@mail.gmail.com>
To: Jose Kahan <jose.kahan@w3.org>
Cc: Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Sep 21, 2015 at 12:28 PM, Jose Kahan <jose.kahan@w3.org> wrote:

> We are in the process in deploying the hsts/https config from www-test
> to our production servers. However, we got a snatch that wasn't
> detected during our tests: the latest released firefox (40.0.3) doesn't
> seem to apply the hsts rule before checking for mixed-content warning.
>

I don't think that any browser applies HSTS before mixed content (see steps
4 and 6 of https://fetch.spec.whatwg.org/#main-fetch).


> Today we had a news item with an absolute HTTP link to an image and this
> revelead it. Firefox will also complain if there are absolute http
> links to CSS files.
>

Is it possible that you're relying on `Upgrade-Insecure-Requests`, and that
you're using a version of Firefox which doesn't yet support it? I think
they're shipping in 42.


> In view of this, if there is no immediate solution we could apply, we're
> going to have to roll-back the deployment and wait until it is fixed.
>

Wouldn't it be better to fix the absolute HTTP links? That would solve the
problem for Firefox, and browsers like Safari that don't support the
upgrade feature at all.

-mike
Received on Monday, 21 September 2015 11:00:34 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC