-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPS Upgrades #853
Comments
Looks good, however I see potential issues: In local networks, having Also, could there be a http response header put on https-served site to indicate that content on http is not the same and not redirect to https? (ie: to signal that https update should not be done optimistically) |
We've considered ways that we might avoid unnecessary upgrades for local networks (potentially building on top of some of the work that Private Network Access is doing). For now we settled on giving fairly open UA carveouts for exemptions in the spec itself -- Chrome's implementation is using this to exempt non-unique hostnames which we know can't get publicly trusted TLS certificates. For unique hostnames, there are many cases where these do have trusted TLS certificates despite resolving to local network addresses (e.g., the Plex model). On balance, because HTTPS-Upgrades will silently fallback to HTTP if the HTTPS request fails, this might add a small latency to some local network requests but should not cause breakage. (For Chrome's "HTTPS-First Mode", which shows a full page warning to the user before falling back to HTTP, we are working on ways that we might reduce this warning burden on users for local network requests, but this is still WIP.) Regarding a HTTP response header: We considered this when we were first proposing HTTPS-Upgrades but decided against it. An "opt-out" header is roughly equivalent to the site serving an HTTP downgrade redirect or just rejecting the HTTPS request (not responding on HTTPS or sending a reset) -- both will trigger the automatic fallback to HTTP. For sites that explicitly don't support HTTPS, we would recommend they serve a downgrade redirect. For the long-tail of sites that won't modify their configs, the new header wouldn't help. |
Following up here to check if there are any other concerns or questions from TAG regarding this feature. |
Is there any possibility of deleting
|
@jeon3029 you might want to chime in on the blink-dev thread. |
I don't see this as an opt-out, more an indication that content served through For sites that don't support |
We discussed this during our breakout, and agree that in general it is a good direction (in line with our Secure the Web finding). We expressed our observations but it is not blocking. |
こんにちは TAG-さん!
I'm requesting a TAG review of HTTPS Upgrades.
Browsers may still make insecure HTTP requests to HTTPS-enabled sites, unnecessarily exposing data over unencrypted connections. Some browsers ship with lists of sites that are known to support HTTPS, beyond those already in the HSTS preload list. Maintaining such a list is opaque, as it requires web crawler data, and error prone, as it will necessarily be out of date by the time it is shipped to users. It can also be bandwidth intensive, containing thousands or millions of sites that need to be updated. HTTPS Upgrades proposes that the browser should automatically and optimistically upgrade all main-frame HTTP navigations to HTTPS, with fast fallback to HTTP.
Further details:
You should also know that...
This feature is implemented and can be tested in Chrome Canary/Dev/Beta by enabling chrome://flags#https-upgrades. It uses the same underlying code as Chrome's "HTTPS-First Mode" which can be enabled in chrome://settings/security by toggling the "Always use secure connections" setting.
We'd prefer the TAG provide feedback as:
💬 leave review feedback as a comment in this issue and @-notify @christhompson and @dadrian
The text was updated successfully, but these errors were encountered: