diff --git a/specs/upgrade/index.html b/specs/upgrade/index.html index 5c7fb36f..00d66ac5 100644 --- a/specs/upgrade/index.html +++ b/specs/upgrade/index.html @@ -70,8 +70,8 @@
If we assume that authors do the server-side legwork (obtaining a certificate,
configuring the server, setting up redirects), and that authors also ensure
- that content is accessible at the same host
and path
- on a secure scheme
, then the following statements ought to hold after
- implementing this feature:
host
and path
on a secure scheme
, then the
+ following statements ought to hold after implementing this feature:
server { - if ($http_https = "1") { - add_header Vary HTTPS; + if ($http_upgrade_insecure_requests = "1") { + add_header Vary Upgrade-Insecure-Requests; return 307 https://$host$request_uri; } } @@ -608,7 +609,7 @@
- - +
- @@ -627,8 +628,9 @@
resource representation which will be returned does not require the
upgrade-insecure-requests
mechanism described in this document to avoid breakage, or if theRequest
's -header-list
contains anHTTPS
header field - with a value of1
. +header-list
contains an +Upgrade-Insecure-Requests
header field with a value of +1
. @@ -693,8 +695,7 @@
The Augmented Backus-Naur Form (ABNF) notation used in §3.1 - The upgrade-insecure-requests Content Security Policy directive - is + The upgrade-insecure-requests Content Security Policy directive is specified in RFC5234. [ABNF]
@@ -724,8 +725,7 @@3. Upgrade. It is set to Do Not Upgrade unless otherwise specified. This policy is checked in §4.1 - Upgrade request to a potentially secure URL, if appropriate - in order to determine whether or not + Upgrade request to a potentially secure URL, if appropriate in order to determine whether or not subresource requests and form submissions should be upgraded during fetching. @@ -737,8 +737,7 @@
3. contains a set of (
host
,port
) tuples to which navigations ought to be upgraded. Its value is the empty set unless otherwise specified. This set is checked in §4.1 - Upgrade request to a potentially secure URL, if appropriate - in order to + Upgrade request to a potentially secure URL, if appropriate in order to determine whether or not navigational requests should be upgraded. @@ -805,7 +804,7 @@3 for additional detail. -
In a thread on public-webappsec@, Peter Eckersley suggested modifying this to allow whitelisting specific hosts, rather than upgrading everything: "That way, if you have N third parties @@ -820,8 +819,7 @@
3.1.
The
@@ -851,19 +849,19 @@upgrade-insecure-requests
directive results in requests being rewritten at the top of the Fetching algorithm [FETCH], as specified in §4.1 - Upgrade request to a potentially secure URL, if appropriate - . It’s important to note that + Upgrade request to a potentially secure URL, if appropriate. It’s important to note that the rewrite happens before either Mixed Content [MIX] or Content Security Policy checks take effect [CSP2].HTTPS HTTP request header as described in - §3.2.1 - The HTTPS HTTP Request Header Field - . + including an
Upgrade-Insecure-Requests
header field as + described in §3.2.1 + The Upgrade-Insecure-Requests HTTP Request Header Field.3.2.1. - The
-HTTPS
HTTP Request Header Field + TheUpgrade-Insecure-Requests
HTTP Request Header FieldThe
HTTPS
HTTP request header - field sends a signal to the server expressing the client’s preference +The +
@@ -872,29 +870,29 @@Upgrade-Insecure-Requests
HTTP request header + field sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle theupgrade-insecure-requests
directive in order to make that preference as seamless as possible to provide.WSP "1" *WSP +
"Upgrade-Insecure-Requests:" *WSP "1" *WSP-Note: Though the
HTTPS
header expresses a preference, sending - it via the existingPrefer
header is problematic, as we - expect the response from the server to use it as part of the cache key. -Vary: Prefer
is too broad, as discussed in +Note: Though the
Upgrade-Insecure-Requests
header expresses a + preference, sending it via the existingPrefer
header is + problematic, as we expect the response from the server to use it as part of + the cache key.Vary: Prefer
is too broad, as discussed in w3/webappsec#216.User agent conformance details are described in step #1 of the the §4.1 - Upgrade request to a potentially secure URL, if appropriate - algorithm. That step represents the following + Upgrade request to a potentially secure URL, if appropriate algorithm. That step represents the following requirements:
- - User agents MUST send an
HTTPS
header along with -Request
s for a priori insecure URLs. + User agents MUST send anUpgrade-Insecure-Requests
header + field along withRequest
s for a priori + insecure URLs.Note: Servers can use this signal to upgrade HTTP requests to HTTPS for @@ -904,9 +902,9 @@
HTTPS header along with -
Request
s for potentially secure URLs whoseurl
's -host
is not a preloadable HSTS host. + User agents MUST send anUpgrade-Insecure-Requests
header + field along withRequest
s for potentially secure URLs whose +url
'shost
is not a preloadable HSTS host.Note: Servers can use the absence of this signal to downgrade HTTPS @@ -917,19 +915,20 @@
HTTPS header - along with
Request
s for potentially secure URLs whose -url
'shost
is a preloadable HSTS host. - For example, user agents could send anHTTPS
header - only when the assertedmax-age
is a few days from expiration, - or only for a small percentage of requests. + User agents SHOULD periodically send an +Upgrade-Insecure-Requests
header field along with +Request
s for potentially secure URLs whoseurl
's +host
is a preloadable HSTS host. For example, user + agents could send anUpgrade-Insecure-Requests
header + field only when the assertedmax-age
is a few days from + expiration, or only for a small percentage of requests.Note: preloadable HSTS hosts have asserted that they are HSTS-safe, and therefore don’t need a downgrade signal. They will need to refresh HSTS status before the asserted
+ expires, and themax-age
- expires, and theHTTPS
serves as a fine signal that - HSTS could be refreshed.Upgrade-Insecure-Requests
header + field serves as a fine signal that HSTS could be refreshed. @@ -948,14 +947,14 @@conditionally HSTS-safe [RFC6797]. -
+A client that supports this document’s upgrade mechanism requestshttp://example.com/
as follows:GET / HTTP/1.1 Host: example.com -HTTPS: 1 +Upgrade-Insecure-Requests: 1@@ -968,13 +967,14 @@Vary: HTTPS +Vary: Upgrade-Insecure-Requests -
HTTPS
is listed in theVary
header, - as the redirect response might otherwise be served by caches to clients that +The
@@ -1126,7 +1126,7 @@Upgrade-Insecure-Requests
+ header field is listed in theVary
header, as the + redirect response might otherwise be served by caches to clients that don’t support the upgrade mechanism defined here. A similar effect could be achieved by making this redirect response uncachable via theCache-Control
header:3. - + @@ -1134,7 +1134,7 @@
3. -
The WHATWG HTML spec is significantly clearer here than [WORKERS]. +
The WHATWG HTML spec is significantly clearer here than [WORKERS]. Hope that doesn’t cause problems when transitioning to CR.
@@ -1208,9 +1208,10 @@Request request, this algorithm will rewrite its
url
if theclient
from which the request originates - has opted-in to upgrades. It will also inject anHTTPS
- header for insecure navigational requests in order to improve a server’s - ability to feature-detect a client’s upgrade capabilities. + has opted-in to upgrades. It will also inject an +Upgrade-Insecure-Requests
header field header for + insecure navigational requests in order to improve a server’s ability to + feature-detect a client’s upgrade capabilities.We will not upgrade cross-origin navigational requests, with the exception of @@ -1226,8 +1227,8 @@
context-frame-type is
top-level
,nested
, orauxiliary
, - append a header namedHTTPS
with a value of -1
to request’sheader-list
if + append a header namedUpgrade-Insecure-Requests
with a + value of1
to request’sheader-list
if any of the following criteria are met: @@ -1249,10 +1250,10 @@Note: User agents can choose to append the
HTTPS
- header for other requests, as discussed in §3.2.1 - The HTTPS HTTP Request Header Field - . +Note: User agents can choose to append the +
@@ -1306,8 +1307,7 @@Upgrade-Insecure-Requests
header field for other + requests, as discussed in §3.2.1 + The Upgrade-Insecure-Requests HTTP Request Header Field.§4.2 - Should insecure Requests be upgraded for client? - upon request’s + Should insecure Requests be upgraded for client? upon request’s
@@ -1599,7 +1597,7 @@client
. @@ -1431,8 +1431,7 @@Let upgrade state be the result of executing §4.2 - Should insecure Requests be upgraded for client? - upon the + Should insecure Requests be upgraded for client? upon the relevant settings object for client’s entry script. @@ -1520,13 +1519,12 @@
-7. Performance Considerations
The upgrade mechanism specified here adds
HTTPS: 1\r\n
(10 bytes) - to every outgoing navigational request to non-preloadable HSTS hosts - (as discussed at length on public-webappsec@, and +The upgrade mechanism specified here adds
@@ -1590,7 +1588,7 @@Upgrade-Insecure-Requests: + 1\r\n
to every outgoing navigational request to non-preloadable + HSTS hosts (as discussed at length on public-webappsec@, and w3c/webappsec#216). The advantages and intent of the header are laid out in §3.2.1 - The HTTPS HTTP Request Header Field - , and + The Upgrade-Insecure-Requests HTTP Request Header Field, and though we’ve taken some steps to ensure that it won’t be a permanent fixture of the platform (by carving out preloadable HSTS hosts), it’s going to be a long, long time before the header vanishes.9.1. - HTTPS + Upgrade-Insecure-Requests
Header field name -
- HTTPS +
- Upgrade-Insecure-Requests @@ -1628,8 +1626,7 @@
This specification (See §3.2.1 - The HTTPS HTTP Request Header Field - ) + The Upgrade-Insecure-Requests HTTP Request Header Field) @@ -1726,17 +1723,17 @@
3
- HSTS-safe, 2
- HSTS-safe origin, 2 -
- HTTPS, 3.2.1 -
- HTTPS HTTP request header - field, 3.2.1
- insecure requests policy, 3
- preloadable HSTS host, 2
- safely upgradable, 2
- safely upgradable requests, 2 -
- upgrade, 2
- Upgrade, 3 +
- upgrade a request, 2
- upgrade insecure navigations set, 3 -
- upgrade-insecure-requests, 3.1 +
- upgrade-insecure-requests, 3.1 +
- Upgrade-Insecure-Requests header field, 3.2.1 +
- Upgrade-Insecure-Requests HTTP request header + field, 3.2.1
Terms defined by reference
- [CSP2] defines the following terms: @@ -1853,7 +1850,7 @@
Normativ
- [FETCH]
- Anne van Kesteren. Fetch. Living Standard. URL: https://fetch.spec.whatwg.org/
- [HTML] -
- Ian Hickson. HTML. Living Standard. URL: https://html.spec.whatwg.org/ +
- Ian Hickson. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
- [MIX]
- Mike West. Mixed Content. LCWD. URL: https://w3c.github.io/webappsec/specs/mixedcontent/
- [RFC3864] @@ -1869,17 +1866,17 @@
Normativ
- [URL]
- Anne van Kesteren. URL. Living Standard. URL: https://url.spec.whatwg.org/
- [DOM] -
- Anne van Kesteren; et al. W3C DOM4. 10 July 2014. LCWD. URL: http://www.w3.org/TR/dom/ +
- Anne van Kesteren; et al. W3C DOM4. 18 June 2015. LCWD. URL: http://www.w3.org/TR/dom/
- [HTML5] -
- Robin Berjon; et al. HTML5. 28 October 2014. REC. URL: http://www.w3.org/TR/html5/ +
- Ian Hickson; et al. HTML5. 28 October 2014. REC. URL: http://www.w3.org/TR/html5/
- [RFC2119] -
- S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: http://www.ietf.org/rfc/rfc2119.txt +
- S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://tools.ietf.org/html/rfc2119
- [RFC5234] -
- D. Crocker, Ed.; P. Overell. Augmented BNF for Syntax Specifications: ABNF. January 2008. Internet Standard. URL: http://www.ietf.org/rfc/rfc5234.txt +
- D. Crocker, Ed.; P. Overell. Augmented BNF for Syntax Specifications: ABNF. January 2008. Internet Standard. URL: https://tools.ietf.org/html/rfc5234
- [RFC7234] -
- R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. Hypertext Transfer Protocol (HTTP/1.1): Caching. June 2014. Proposed Standard. URL: http://www.ietf.org/rfc/rfc7234.txt +
- R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. Hypertext Transfer Protocol (HTTP/1.1): Caching. June 2014. Proposed Standard. URL: https://tools.ietf.org/html/rfc7234
- [RFC7240] -
- J. Snell. Prefer Header for HTTP. June 2014. Proposed Standard. URL: http://www.ietf.org/rfc/rfc7240.txt +
- J. Snell. Prefer Header for HTTP. June 2014. Proposed Standard. URL: https://tools.ietf.org/html/rfc7240
- [WORKERS]
- Ian Hickson. Web Workers. 1 May 2012. CR. URL: http://www.w3.org/TR/workers/
Informative References
@@ -1892,14 +1889,14 @@Inform
- Mark Nottingham. Securing the Web. TAG Finding. URL: http://www.w3.org/2001/tag/doc/web-https
Issues Index
-In +In a thread on public-webappsec@, Peter Eckersley suggested modifying this to allow whitelisting specific hosts, rather than upgrading everything: "That way, if you have N third parties on a site, and (say) two of them provide images only, and don’t support HTTPS at all, you can use the upgrade mechanism for scripts on the other N - 2 origins." <https://github.com/w3c/webappsec/issues/184> ↵-Monkey patching. :( ↵-