W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Testing W3C's HTTPS setup

From: Jose Kahan <jose.kahan@w3.org>
Date: Mon, 21 Sep 2015 13:22:45 +0200
To: Mike West <mkwst@google.com>
Cc: Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <20150921112245.GB8108@kiribati.inrialpes.fr>
On Mon, Sep 21, 2015 at 12:59:46PM +0200, Mike West wrote:
> Is it possible that you're relying on `Upgrade-Insecure-Requests`, and that
> you're using a version of Firefox which doesn't yet support it? I think
> they're shipping in 42.

We have this problem when browsing the home page https://www.w3.org/,
although we're sending back the CSP upgrade-insecure-requesta dn the
Strict-Transport-Security one. We fixed it for that one news item
but the problem appeared elsewhere.

As you say, firefox doesn't seem to support this header when the
server sends it.

> > In view of this, if there is no immediate solution we could apply, we're
> > going to have to roll-back the deployment and wait until it is fixed.
> >
> Wouldn't it be better to fix the absolute HTTP links? That would solve the
> problem for Firefox, and browsers like Safari that don't support the
> upgrade feature at all.

That's not possible. We have too much content and this is what
the combination of HSTS and Upgrade-Insecure-Requests is supposed
to do. 

If there's no other available solution at the moment that fixes
firefox's behavior, we'll have to roll-back.

Received on Monday, 21 September 2015 11:22:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:51 UTC