Be explicit that you don't need to update <a href> links to be HTTPS
#205
Comments
|
While that's true, those http:// links back to domains you control do leak; a MITM on http would be able to see the redirects. |
|
That's what HSTS is for :-) On Fri, Oct 14, 2016 at 2:54 PM, Mark Johnson notifications@github.com
"I disapprove of what you say, but I will defend to the death your right to |
|
Yeah, HSTS is great. Older browsers don't support HSTS, unfortunately. Which is one reason we're spending so much time fixing mixed content issues, since that's what Content-Security-Policy: upgrade-insecure-requests is for. It's a shame that u-i-r support isn't better than it is; it would have made this job a lot easier. |
|
@elucify Totally -- changing as many links as possible to be HTTPS is clearly a positive security goal, and HSTS won't help legacy browsers. I opened this issue after an inquiry from an agency where they mistakenly believed that updating The lack of u-i-r support in IE/Edge is frustrating. You could make a positive impact on its adoption by publicly noting somewhere how much of a difference it would make in your work. After WIRED posted about their struggles with flagging u-i-r support, Apple prioritized the feature and it's now deployed to Safari in stable iOS and OS X channels. Microsoft may be responsive to federal agencies expressing a need where Edge is the only major outlier. |
|
Yes, https This is somewhat hacky but... might you recommend using JavaScript to update http: hrefs on every page? Many sites have a site-wide JS module or two. Silently updating those links with JavaScript would essentially be a "poor man's u-i-r". As for encouraging vendors to get on the ball with security features (like u-i-r), maybe cio.gov could take leadership there, along with NIST, to extend the USGCB (https://usgcb.nist.gov/) to include a baseline and test suite for browser security features. I know that's a tall order--remember all the controversy over IE6 at State in 2008--but certainly M-15-13 implies HTTPS support, so why not HSTS and u-i-r? The prospect of being locked out of Federal government IT systems should get every vendor's attention. OTOH USGCB is stale--they still recommend IE8! |
M-15-13 already does require HSTS. :)
I would interpret it as a recommendation, not a requirement. https.cio.gov also recommends not using SHA-1 or RC4, but those aren't requirements of M-15-13. We've got to pick our requirements battles. |
|
I think this is likely not needed. |
You need to focus on pulling in resources through
<link>and<script>tags, but the links on your page don't need to be updated in order to comply.The text was updated successfully, but these errors were encountered: