You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A full forced redirect to HTTPS should have no negative impact on browsers accessing code.jquery.com through a <script> tag. An HSTS header would further protect visitors to sites that embed an insecure code.jquery.com link.
Alternatively, I can see that CORS has just recently been enabled for resources on code.jquery.com. Safari does break on attempts to redirect CORS URLs from HTTP to HTTPS, even if both endpoints have CORS headers enabled.
Before the jQuery CDN develops much of a user base for its CORS support, the most immediate helpful thing to avoid making it difficult for the CDN to force a redirect in the future would be to only provide CORS support for HTTPS requests. This would at least prevent the situation from deterioriating while the jQuery CDN evaluates a full switch to HTTPS and HSTS.
The text was updated successfully, but these errors were encountered:
We choose not to perform forceful redirects from HTTP for back-compatibility. As a widely used CDN, these can cause issues for some users where HTTPS is not an option, where it is intentionally not used, or where redirects may cause failures.
We have seen more than once in large projects that while in theory all HTTP clients should be able to follow redirects, there are plenty of proxies and crawler scripts that will naively download a URL and use the response. I've more than once found that a deployment pipeline, build script, or production workload stopped working because a URL became redirect. At this point, it does not seem to benefit anyone if we deny HTTP serving and/or force redirects.
We have been promoting use of SRI hashes in <script> tags for many years, which can be seen by clicking on any resource at https://code.jquery.com/ (uses JavaScript). In supported browsers, when using SRI, it thus is already validated that the expected content is served and cannot be modified or otherwise hijacked.
@Krinkle a redirect to HTTPS is one of prerequisites of adding a domain to the HSTS preload list as documented at https://hstspreload.org/. So it looks like we can enable HSTS but it will never be preloaded?
A full forced redirect to HTTPS should have no negative impact on browsers accessing code.jquery.com through a
<script>
tag. An HSTS header would further protect visitors to sites that embed an insecure code.jquery.com link.Alternatively, I can see that CORS has just recently been enabled for resources on code.jquery.com. Safari does break on attempts to redirect CORS URLs from HTTP to HTTPS, even if both endpoints have CORS headers enabled.
Before the jQuery CDN develops much of a user base for its CORS support, the most immediate helpful thing to avoid making it difficult for the CDN to force a redirect in the future would be to only provide CORS support for HTTPS requests. This would at least prevent the situation from deterioriating while the jQuery CDN evaluates a full switch to HTTPS and HSTS.
The text was updated successfully, but these errors were encountered: