- From: Jose Kahan <jose.kahan@w3.org>
- Date: Mon, 21 Sep 2015 13:22:45 +0200
- To: Mike West <mkwst@google.com>
- Cc: Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Sep 21, 2015 at 12:59:46PM +0200, Mike West wrote: > > Is it possible that you're relying on `Upgrade-Insecure-Requests`, and that > you're using a version of Firefox which doesn't yet support it? I think > they're shipping in 42. We have this problem when browsing the home page https://www.w3.org/, although we're sending back the CSP upgrade-insecure-requesta dn the Strict-Transport-Security one. We fixed it for that one news item but the problem appeared elsewhere. As you say, firefox doesn't seem to support this header when the server sends it. > > In view of this, if there is no immediate solution we could apply, we're > > going to have to roll-back the deployment and wait until it is fixed. > > > > Wouldn't it be better to fix the absolute HTTP links? That would solve the > problem for Firefox, and browsers like Safari that don't support the > upgrade feature at all. That's not possible. We have too much content and this is what the combination of HSTS and Upgrade-Insecure-Requests is supposed to do. If there's no other available solution at the moment that fixes firefox's behavior, we'll have to roll-back. -jose
Received on Monday, 21 September 2015 11:22:56 UTC