Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
UPGRADE: Consider `upgrade-insecure-requests` in an insecure response as redirecting. #212
If a user navigates to
This would remove the necessity for sending a positive
Without thinking about it too hard, this seems clever. :)
One issue that I see here is that you're punishing upgrade-capable UAs the first time they access the site over HTTP, by forcing them to download the full response (or a large chunk of it, assuming they RST it), and then re-download it over HTTPS. At the end of this redirect the server can serve HSTS headers, making this problem go away for this particular user. Alternatively, we can also pin the Upgrade-capable server, and skip the redirect dance in followup sessions.
The secondary issue is that legacy UAs over HTTPS cannot be redirected away back to the unsafe, but intact, HTTP version. A JS API that exposes if the UA is Upgrade-capable can resolve that issue using a client-side redirect.
So, all in all, both are a very reasonable price to pay for not spamming the Web forever and ever.
Copy/pasting from the thread with @igrigorik:
If we have that in place, perhaps we could reverse the signaling by adding an
This clearly addresses the "modern client" use case, and could be abused to address the "legacy vs modern" use case for those sites that really care if we're willing to suffer another redirect:
I expect Ilya's head to explode while reading this ("Two redirects?! Are you MAD!?"). It solves the problem, but isn't pretty, and isn't something I'd hope that most sites care about. :)
My expectation is that we will automatically deploy the "legacy vs modern" algorithm as the out-of-the-box default behaviour for the webservers that run the Let's Encrypt agent, since there won't be an easy way for us to tell if those sites suffer from mixed content or not, and we'll want to minimise breakage on old clients.
I don't have a completely clear picture yet of what you are proposing for that case. Let's keep things simple and assume it's a site that isn't ready for the strictures of HSTS, yet. Is the following accurate?
Have I understood that correctly?