W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2016

Re: Update to w3.org site configuration [UPGRADE]

From: Eric Mill <eric@konklone.com>
Date: Wed, 13 Apr 2016 16:16:44 -0400
Message-ID: <CANBOYLWyuwYEAg7OC8ZKWVBFOkLZtFkM4Gs5v6Ao1PML1os1RA@mail.gmail.com>
To: Wendy Seltzer <wseltzer@w3.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Jose Kahan <jose.kahan@w3.org>, Ted Guild <ted@w3.org>
Has the W3C done any work to rewrite `http://` links on its previously
published documents to `https://`, to avoid mixed content warnings
altogether?

It looks like you could eliminate huge classes of warnings by just
regex-ing an "s" into place on many of the W3's old pages, and it looks
like they are generally maintained as static files that would make this
easy to do.

This could be a more fruitful way for w3.org to improve its security while
remaining usable, rather than waiting on UIR to make it into every browser.

-- Eric

On Tue, Apr 12, 2016 at 6:17 PM, Wendy Seltzer <wseltzer@w3.org> wrote:

> Hi WebAppSec,
>
> As Upgrade Insecure Requests is not currently implemented in all of the
> major browsers, W3C has decided to change the setup of the w3.org site.
> Instead of issuing HSTS and Upgrade Insecure to all clients, which was
> causing mixed-content blockage in several browsers, the site is now
> doing user-agent switching: offering HTTPS to those clients that support
> Upgrade Insecure, and HTTP to those that don't yet support it.
>
> We've talked with large site operators who look forward to using Upgrade
> Insecure to update their sites to HTTPS. We similarly look forward to
> helping all browsers to implement the Upgrade Insecure Requests spec and
> retiring the UA-sniffing setup on w3.org.
>
> Thanks,
> --Wendy
>
> --
> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
> https://wendy.seltzer.org/        +1.617.863.0613 (mobile)
>
>
>
>


-- 
konklone.com | @konklone <https://twitter.com/konklone>
Received on Wednesday, 13 April 2016 20:17:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:19 UTC