- From: Wendy Seltzer <wseltzer@w3.org>
- Date: Tue, 12 Apr 2016 18:17:54 -0400
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Cc: Jose Kahan <jose.kahan@w3.org>, Ted Guild <ted@w3.org>
Hi WebAppSec, As Upgrade Insecure Requests is not currently implemented in all of the major browsers, W3C has decided to change the setup of the w3.org site. Instead of issuing HSTS and Upgrade Insecure to all clients, which was causing mixed-content blockage in several browsers, the site is now doing user-agent switching: offering HTTPS to those clients that support Upgrade Insecure, and HTTP to those that don't yet support it. We've talked with large site operators who look forward to using Upgrade Insecure to update their sites to HTTPS. We similarly look forward to helping all browsers to implement the Upgrade Insecure Requests spec and retiring the UA-sniffing setup on w3.org. Thanks, --Wendy -- Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) https://wendy.seltzer.org/ +1.617.863.0613 (mobile)
Received on Tuesday, 12 April 2016 22:17:59 UTC