If we assume that authors do the server-side legwork (obtaining a certificate,
configuring the server, setting up redirects), and that authors also ensure
- that content is accessible at the same host and path
- on a secure scheme, then the following statements ought to hold after
- implementing this feature:
host and path on a secure scheme, then the
+ following statements ought to hold after implementing this feature:
server {
- if ($http_https = "1") {
- add_header Vary HTTPS;
+ if ($http_upgrade_insecure_requests = "1") {
+ add_header Vary Upgrade-Insecure-Requests;
return 307 https://$host$request_uri;
}
}
@@ -608,7 +609,7 @@
-
-
+
-
@@ -627,8 +628,9 @@
resource representation which will be returned does not require the
upgrade-insecure-requests mechanism described in this
document to avoid breakage, or if the Request's
- header-list contains an HTTPS header field
- with a value of 1.
+ header-list contains an
+ Upgrade-Insecure-Requests header field with a value of
+ 1.
@@ -693,8 +695,7 @@
The Augmented Backus-Naur Form (ABNF) notation used in §3.1
- The upgrade-insecure-requests Content Security Policy directive
- is
+ The upgrade-insecure-requests Content Security Policy directive is
specified in RFC5234. [ABNF]
@@ -724,8 +725,7 @@ 3.
Upgrade. It is
set to Do Not Upgrade unless otherwise specified. This policy
is checked in §4.1
- Upgrade request to a potentially secure URL, if appropriate
- in order to determine whether or not
+ Upgrade request to a potentially secure URL, if appropriate in order to determine whether or not
subresource requests and form submissions should be upgraded during
fetching.
@@ -737,8 +737,7 @@ 3.
contains a set of (host, port) tuples to which navigations
ought to be upgraded. Its value is the empty set unless otherwise
specified. This set is checked in §4.1
- Upgrade request to a potentially secure URL, if appropriate
- in order to
+ Upgrade request to a potentially secure URL, if appropriate in order to
determine whether or not navigational requests should be upgraded.
@@ -805,7 +804,7 @@ 3
for additional detail.
- In
a thread on public-webappsec@,
Peter Eckersley suggested modifying this to allow whitelisting specific hosts,
rather than upgrading everything: "That way, if you have N third parties
@@ -820,8 +819,7 @@
3.1.
The upgrade-insecure-requests directive results in
requests being rewritten at the top of the Fetching algorithm
[FETCH], as specified in §4.1
- Upgrade request to a potentially secure URL, if appropriate
- . It’s important to note that
+ Upgrade request to a potentially secure URL, if appropriate. It’s important to note that
the rewrite happens before either Mixed Content [MIX] or Content
Security Policy checks take effect [CSP2].
@@ -851,19 +849,19 @@ HTTPS HTTP request header as described in
- §3.2.1
- The HTTPS HTTP Request Header Field
- .
+ including an Upgrade-Insecure-Requests header field as
+ described in §3.2.1
+ The Upgrade-Insecure-Requests HTTP Request Header Field.
3.2.1.
- The HTTPS HTTP Request Header Field
+ The Upgrade-Insecure-Requests HTTP Request Header Field
- The HTTPS HTTP request header
- field sends a signal to the server expressing the client’s preference
+
The
+ Upgrade-Insecure-Requests HTTP request header
+ field sends a signal to the server expressing the client’s preference
for an encrypted and authenticated response, and that it can successfully
handle the upgrade-insecure-requests directive in order
to make that preference as seamless as possible to provide.
@@ -872,29 +870,29 @@ WSP "1" *WSP
+ "Upgrade-Insecure-Requests:" *WSP "1" *WSP
- Note: Though the HTTPS header expresses a preference, sending
- it via the existing Prefer header is problematic, as we
- expect the response from the server to use it as part of the cache key.
- Vary: Prefer is too broad, as discussed in
+
Note: Though the Upgrade-Insecure-Requests header expresses a
+ preference, sending it via the existing Prefer header is
+ problematic, as we expect the response from the server to use it as part of
+ the cache key. Vary: Prefer is too broad, as discussed in
w3/webappsec#216.
User agent conformance details are described in step #1 of the the
§4.1
- Upgrade request to a potentially secure URL, if appropriate
- algorithm. That step represents the following
+ Upgrade request to a potentially secure URL, if appropriate algorithm. That step represents the following
requirements:
-
- User agents MUST send an
HTTPS header along with
- Requests for a priori insecure URLs.
+ User agents MUST send an Upgrade-Insecure-Requests header
+ field along with Requests for a priori
+ insecure URLs.
Note: Servers can use this signal to upgrade HTTP requests to HTTPS for
@@ -904,9 +902,9 @@
HTTPS header along with
- Requests for potentially secure URLs whose url's
- host is not a preloadable HSTS host.
+ User agents MUST send an Upgrade-Insecure-Requests header
+ field along with Requests for potentially secure URLs whose
+ url's host is not a preloadable HSTS host.
Note: Servers can use the absence of this signal to downgrade HTTPS
@@ -917,19 +915,20 @@
HTTPS header
- along with Requests for potentially secure URLs whose
- url's host is a preloadable HSTS host.
- For example, user agents could send an HTTPS header
- only when the asserted max-age is a few days from expiration,
- or only for a small percentage of requests.
+ User agents SHOULD periodically send an
+ Upgrade-Insecure-Requests header field along with
+ Requests for potentially secure URLs whose url's
+ host is a preloadable HSTS host. For example, user
+ agents could send an Upgrade-Insecure-Requests header
+ field only when the asserted max-age is a few days from
+ expiration, or only for a small percentage of requests.
Note: preloadable HSTS hosts have asserted that they are
HSTS-safe, and therefore don’t need a downgrade signal. They will
need to refresh HSTS status before the asserted max-age
- expires, and the HTTPS serves as a fine signal that
- HSTS could be refreshed.
+ expires, and the Upgrade-Insecure-Requests header
+ field serves as a fine signal that HSTS could be refreshed.
@@ -948,14 +947,14 @@ conditionally HSTS-safe [RFC6797].
-
+
A client that supports this document’s upgrade mechanism requests
http://example.com/ as follows:
GET / HTTP/1.1
Host: example.com
-HTTPS: 1
+Upgrade-Insecure-Requests: 1
@@ -968,13 +967,14 @@ Vary: HTTPS
+Vary: Upgrade-Insecure-Requests
- HTTPS is listed in the Vary header,
- as the redirect response might otherwise be served by caches to clients that
+
The Upgrade-Insecure-Requests
+ header field is listed in the Vary header, as the
+ redirect response might otherwise be served by caches to clients that
don’t support the upgrade mechanism defined here. A similar effect could be
achieved by making this redirect response uncachable via the
Cache-Control header:
@@ -1126,7 +1126,7 @@ 3.
-
+
@@ -1134,7 +1134,7 @@ 3.
- The WHATWG HTML spec is significantly clearer here than [WORKERS].
+
The WHATWG HTML spec is significantly clearer here than [WORKERS].
Hope that doesn’t cause problems when transitioning to CR.
@@ -1208,9 +1208,10 @@ Request request, this algorithm will rewrite its
url if the client from which the request originates
- has opted-in to upgrades. It will also inject an HTTPS
- header for insecure navigational requests in order to improve a server’s
- ability to feature-detect a client’s upgrade capabilities.
+ has opted-in to upgrades. It will also inject an
+ Upgrade-Insecure-Requests header field header for
+ insecure navigational requests in order to improve a server’s ability to
+ feature-detect a client’s upgrade capabilities.
We will not upgrade cross-origin navigational requests, with the exception of
@@ -1226,8 +1227,8 @@
context-frame-type is
top-level, nested, or auxiliary,
- append a header named HTTPS with a value of
- 1 to request’s header-list if
+ append a header named Upgrade-Insecure-Requests with a
+ value of 1 to request’s header-list if
any of the following criteria are met:
@@ -1249,10 +1250,10 @@ Note: User agents can choose to append the HTTPS
- header for other requests, as discussed in §3.2.1
- The HTTPS HTTP Request Header Field
- .
+ Note: User agents can choose to append the
+ Upgrade-Insecure-Requests header field for other
+ requests, as discussed in §3.2.1
+ The Upgrade-Insecure-Requests HTTP Request Header Field.
@@ -1306,8 +1307,7 @@ §4.2
- Should insecure Requests be upgraded for client?
- upon request’s
+ Should insecure Requests be upgraded for client? upon request’s
client.
@@ -1431,8 +1431,7 @@
Let upgrade state be the result of executing
§4.2
- Should insecure Requests be upgraded for client?
- upon the
+ Should insecure Requests be upgraded for client? upon the
relevant settings
object for client’s entry script.
@@ -1520,13 +1519,12 @@ 7. Performance Considerations
- The upgrade mechanism specified here adds HTTPS: 1\r\n (10 bytes)
- to every outgoing navigational request to non-preloadable HSTS hosts
- (as discussed at length on public-webappsec@, and
+
The upgrade mechanism specified here adds Upgrade-Insecure-Requests:
+ 1\r\n to every outgoing navigational request to non-preloadable
+ HSTS hosts (as discussed at length on public-webappsec@, and
w3c/webappsec#216).
The advantages and intent of the header are laid out in §3.2.1
- The HTTPS HTTP Request Header Field
- , and
+ The Upgrade-Insecure-Requests HTTP Request Header Field, and
though we’ve taken some steps to ensure that it won’t be a permanent fixture
of the platform (by carving out preloadable HSTS hosts), it’s going
to be a long, long time before the header vanishes.
@@ -1590,7 +1588,7 @@ 9.1.
- HTTPS
+ Upgrade-Insecure-Requests
@@ -1599,7 +1597,7 @@ Header field name
- - HTTPS
+
- Upgrade-Insecure-Requests
@@ -1628,8 +1626,7 @@
This specification (See §3.2.1
- The HTTPS HTTP Request Header Field
- )
+ The Upgrade-Insecure-Requests HTTP Request Header Field)
@@ -1726,17 +1723,17 @@ 3
- HSTS-safe, 2
- HSTS-safe origin, 2
-
- HTTPS, 3.2.1
-
- HTTPS HTTP request header
- field, 3.2.1
- insecure requests policy, 3
- preloadable HSTS host, 2
- safely upgradable, 2
- safely upgradable requests, 2
-
- upgrade, 2
- Upgrade, 3
+
- upgrade a request, 2
- upgrade insecure navigations set, 3
-
- upgrade-insecure-requests, 3.1
+
- upgrade-insecure-requests, 3.1
+
- Upgrade-Insecure-Requests header field, 3.2.1
+
- Upgrade-Insecure-Requests HTTP request header
+ field, 3.2.1
Terms defined by reference
- [CSP2] defines the following terms:
@@ -1853,7 +1850,7 @@
Normativ
- [FETCH]
- Anne van Kesteren. Fetch. Living Standard. URL: https://fetch.spec.whatwg.org/
- [HTML]
-
- Ian Hickson. HTML. Living Standard. URL: https://html.spec.whatwg.org/
+
- Ian Hickson. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
- [MIX]
- Mike West. Mixed Content. LCWD. URL: https://w3c.github.io/webappsec/specs/mixedcontent/
- [RFC3864]
@@ -1869,17 +1866,17 @@
Normativ
- [URL]
- Anne van Kesteren. URL. Living Standard. URL: https://url.spec.whatwg.org/
- [DOM]
-
- Anne van Kesteren; et al. W3C DOM4. 10 July 2014. LCWD. URL: http://www.w3.org/TR/dom/
+
- Anne van Kesteren; et al. W3C DOM4. 18 June 2015. LCWD. URL: http://www.w3.org/TR/dom/
- [HTML5]
-
- Robin Berjon; et al. HTML5. 28 October 2014. REC. URL: http://www.w3.org/TR/html5/
+
- Ian Hickson; et al. HTML5. 28 October 2014. REC. URL: http://www.w3.org/TR/html5/
- [RFC2119]
-
- S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: http://www.ietf.org/rfc/rfc2119.txt
+
- S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://tools.ietf.org/html/rfc2119
- [RFC5234]
-
- D. Crocker, Ed.; P. Overell. Augmented BNF for Syntax Specifications: ABNF. January 2008. Internet Standard. URL: http://www.ietf.org/rfc/rfc5234.txt
+
- D. Crocker, Ed.; P. Overell. Augmented BNF for Syntax Specifications: ABNF. January 2008. Internet Standard. URL: https://tools.ietf.org/html/rfc5234
- [RFC7234]
-
- R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. Hypertext Transfer Protocol (HTTP/1.1): Caching. June 2014. Proposed Standard. URL: http://www.ietf.org/rfc/rfc7234.txt
+
- R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. Hypertext Transfer Protocol (HTTP/1.1): Caching. June 2014. Proposed Standard. URL: https://tools.ietf.org/html/rfc7234
- [RFC7240]
-
- J. Snell. Prefer Header for HTTP. June 2014. Proposed Standard. URL: http://www.ietf.org/rfc/rfc7240.txt
+
- J. Snell. Prefer Header for HTTP. June 2014. Proposed Standard. URL: https://tools.ietf.org/html/rfc7240
- [WORKERS]
- Ian Hickson. Web Workers. 1 May 2012. CR. URL: http://www.w3.org/TR/workers/
Informative References
@@ -1892,14 +1889,14 @@ Inform
- Mark Nottingham. Securing the Web. TAG Finding. URL: http://www.w3.org/2001/tag/doc/web-https
Issues Index
- In
+ In
a thread on public-webappsec@,
Peter Eckersley suggested modifying this to allow whitelisting specific hosts,
rather than upgrading everything: "That way, if you have N third parties
on a site, and (say) two of them provide images only, and don’t support
HTTPS at all, you can use the upgrade mechanism for scripts on the other
N - 2 origins." <https://github.com/w3c/webappsec/issues/184> ↵
- Monkey patching. :( ↵
-