Re: Update to site configuration [UPGRADE]

Has the W3C done any work to rewrite `http://` links on its previously
published documents to `https://`, to avoid mixed content warnings

It looks like you could eliminate huge classes of warnings by just
regex-ing an "s" into place on many of the W3's old pages, and it looks
like they are generally maintained as static files that would make this
easy to do.

This could be a more fruitful way for to improve its security while
remaining usable, rather than waiting on UIR to make it into every browser.

-- Eric

On Tue, Apr 12, 2016 at 6:17 PM, Wendy Seltzer <> wrote:

> Hi WebAppSec,
> As Upgrade Insecure Requests is not currently implemented in all of the
> major browsers, W3C has decided to change the setup of the site.
> Instead of issuing HSTS and Upgrade Insecure to all clients, which was
> causing mixed-content blockage in several browsers, the site is now
> doing user-agent switching: offering HTTPS to those clients that support
> Upgrade Insecure, and HTTP to those that don't yet support it.
> We've talked with large site operators who look forward to using Upgrade
> Insecure to update their sites to HTTPS. We similarly look forward to
> helping all browsers to implement the Upgrade Insecure Requests spec and
> retiring the UA-sniffing setup on
> Thanks,
> --Wendy
> --
> Wendy Seltzer -- +1.617.715.4883 (office)
> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
>        +1.617.863.0613 (mobile)

-- | @konklone <>

Received on Wednesday, 13 April 2016 20:17:51 UTC