- From: Eric Mill <eric@konklone.com>
- Date: Wed, 13 Apr 2016 16:16:44 -0400
- To: Wendy Seltzer <wseltzer@w3.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Jose Kahan <jose.kahan@w3.org>, Ted Guild <ted@w3.org>
- Message-ID: <CANBOYLWyuwYEAg7OC8ZKWVBFOkLZtFkM4Gs5v6Ao1PML1os1RA@mail.gmail.com>
Has the W3C done any work to rewrite `http://` links on its previously published documents to `https://`, to avoid mixed content warnings altogether? It looks like you could eliminate huge classes of warnings by just regex-ing an "s" into place on many of the W3's old pages, and it looks like they are generally maintained as static files that would make this easy to do. This could be a more fruitful way for w3.org to improve its security while remaining usable, rather than waiting on UIR to make it into every browser. -- Eric On Tue, Apr 12, 2016 at 6:17 PM, Wendy Seltzer <wseltzer@w3.org> wrote: > Hi WebAppSec, > > As Upgrade Insecure Requests is not currently implemented in all of the > major browsers, W3C has decided to change the setup of the w3.org site. > Instead of issuing HSTS and Upgrade Insecure to all clients, which was > causing mixed-content blockage in several browsers, the site is now > doing user-agent switching: offering HTTPS to those clients that support > Upgrade Insecure, and HTTP to those that don't yet support it. > > We've talked with large site operators who look forward to using Upgrade > Insecure to update their sites to HTTPS. We similarly look forward to > helping all browsers to implement the Upgrade Insecure Requests spec and > retiring the UA-sniffing setup on w3.org. > > Thanks, > --Wendy > > -- > Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) > Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) > https://wendy.seltzer.org/ +1.617.863.0613 (mobile) > > > > -- konklone.com | @konklone <https://twitter.com/konklone>
Received on Wednesday, 13 April 2016 20:17:51 UTC