Intent to Ship: Upgrade Insecure Requests.

118 views
Skip to first unread message

Mike West

unread,
Mar 23, 2015, 6:12:00 AM3/23/15
to blink-dev, Yoav Weiss, David Walp, Crispin Cowan, Anne van Kesteren, Peter Eckersley, Tanvi Vyas, Alex Russell, Mark Nottingham
+security-dev@ via BCC


Contact emails

mk...@chromium.org


Spec

https://w3c.github.io/webappsec/specs/upgrade/


Summary

We encourage authors to transition their sites and applications away from insecure transport, and onto encrypted and authenticated connections, but mixed content checking causes headaches. This feature defines a CSP directive which allows authors to ask the user agent to transparently upgrade HTTP resources to HTTPS to ease the migration burden.


Link to “Intent to Implement” blink-dev discussion

https://groups.google.com/a/chromium.org/d/msg/blink-dev/rjeFL53OV4I/_NvMh0_qsWEJ


Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

Yes


Demo link

https://mikewest.github.io/upgrade-demo/ (flip the "Experimental Web Platform Features" flag in Canary to avoid the mixed content error. Wow, right?).


Debuggability

1. Network requests will show up in the inspector, just as any other request will.

2. Content Security Policy's report only mode can be used to track down upgraded requests, as discussed in https://w3c.github.io/webappsec/specs/upgrade/#reporting-upgrades.


Compatibility Risk

Moderate to low.


We've had spirited discussion on the public-webappsec@ mailing list (the threads at https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0005.html and https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0015.html are illustrative). While there's still discussion about what we can do by default, and some details of the spec (https://github.com/w3c/webappsec/issues/184, for instance), I believe we've got what we need for a minimum-viable implementation that we can ship to developers to start gathering feedback regarding whether or not this actually solves real-world problems. I suspect that we'll end up wanting to more than the current state of the spec, and I very much doubt that we'll end up wanting to do less.


Mozilla hasn't signaled disagreement with the spec, but also hasn't been incredibly positive. https://bugzilla.mozilla.org/show_bug.cgi?id=1139297 covers the feature, but no one has picked it up yet. CCing Anne and Tanvi to see if they have thoughts.


Microsoft hasn't participated much since the publication of the FPWD. CCing Crispin and David to see if they have specific feedback.


Yoav reviewed most of the patches, and mnot@ had some feedback, both of which I'll take as an explicit signal that Akamai supports the plan at the highest levels of their org.


The Let's Encrypt folks at EFF are excited about it (though they want even more), and plan to use the feature as part of their deployment toolset. If that takes off, a certain subset of sites might come to depend upon the feature over HTTPS, and fail to work without it due to mixed content errors. I think this in particular is somewhat low risk, given that these sites still support HTTP and the feature detection outlined in https://w3c.github.io/webappsec/specs/upgrade/#feature-detect will allow them to downgrade browsers that don't support the feature (that was the main driver of adding those signals to the spec). CCing Peter Eckersley to verify that I'm not overstating his enthusiasm for the spec as it stands.


OWP launch tracking bug?

https://crbug.com/455674


Link to entry on the feature dashboard

https://www.chromestatus.com/features/6534575509471232


-mike

ad...@chromium.org

unread,
Mar 23, 2015, 6:25:55 AM3/23/15
to blin...@chromium.org, yo...@yoav.ws, David...@microsoft.com, cri...@microsoft.com, ann...@annevk.nl, p...@eff.org, ta...@mozilla.com, sligh...@chromium.org, mn...@mnot.net
Non-owner LGTM. For initial feedback, this seems like a very reasonable MVP.

Excited to see this ship!

Jochen Eisinger

unread,
Mar 23, 2015, 6:28:39 AM3/23/15
to ad...@chromium.org, blin...@chromium.org, yo...@yoav.ws, David...@microsoft.com, cri...@microsoft.com, ann...@annevk.nl, p...@eff.org, ta...@mozilla.com, sligh...@chromium.org, mn...@mnot.net
the additional parts of the spec that are currently being discussed can be shipped on top of the MVP without breaking anything, so lgtm

Chris Harrelson

unread,
Mar 23, 2015, 2:51:33 PM3/23/15
to Jochen Eisinger, ad...@chromium.org, blink-dev, Yoav Weiss, David...@microsoft.com, cri...@microsoft.com, Anne van Kesteren, p...@eff.org, ta...@mozilla.com, sligh...@chromium.org, mn...@mnot.net
While I am in favor of this change, once it's launched it will be very hard to undo because sites will start to rely on it and a rollback will cause mixed content warnings to appear. So I'd like to see explicit support from the Chrome security team before giving my looks-good-to-me.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Mike West

unread,
Mar 23, 2015, 3:08:12 PM3/23/15
to Chris Harrelson, Jochen Eisinger, ad...@chromium.org, blink-dev, Yoav Weiss, David Walp, Crispin Cowan, Anne van Kesteren, Peter Eckersley, Tanvi Vyas, Alex Russell, Mark Nottingham
On Mon, Mar 23, 2015 at 7:51 PM, Chris Harrelson <chri...@chromium.org> wrote:
While I am in favor of this change, once it's launched it will be very hard to undo because sites will start to rely on it and a rollback will cause mixed content warnings to appear. So I'd like to see explicit support from the Chrome security team before giving my looks-good-to-me.

Does the feature-detection fallback not give you confidence in sites ability to recover?

That is, in the presence of browser that don't support the feature (that is, every browser at the moment :) ), sites who require the feature will "upgrade" user agents that support the feature and "downgrading" user agents that don't as described in https://w3c.github.io/webappsec/specs/upgrade/#preference.

If this turns out to be a terrible idea, we'll roll it back, stop sending the "HTTPS" header, and be treated just like every other browser that doesn't support the feature.

--
Mike West <mk...@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Chris Harrelson

unread,
Mar 23, 2015, 3:36:52 PM3/23/15
to Mike West, Jochen Eisinger, ad...@chromium.org, blink-dev, Yoav Weiss, David Walp, Crispin Cowan, Anne van Kesteren, Peter Eckersley, Tanvi Vyas, Alex Russell, Mark Nottingham
I looked more closely at the spec with Mike's help, and realized that I misunderstood some aspects. 

LGTM, but would still like to hear from others on Chrome security team that they agree this is a good change.

Parisa Tabriz

unread,
Mar 23, 2015, 5:16:37 PM3/23/15
to blin...@chromium.org, mk...@google.com, joc...@chromium.org, ad...@chromium.org, yo...@yoav.ws, David...@microsoft.com, cri...@microsoft.com, ann...@annevk.nl, p...@eff.org, ta...@mozilla.com, sligh...@chromium.org, mn...@mnot.net, chri...@chromium.org
On Monday, March 23, 2015 at 12:36:52 PM UTC-7, Chris Harrelson wrote:
I looked more closely at the spec with Mike's help, and realized that I misunderstood some aspects. 

LGTM, but would still like to hear from others on Chrome security team that they agree this is a good change.


LGTM!

Philip Jägenstedt

unread,
Mar 24, 2015, 4:47:25 AM3/24/15
to Parisa Tabriz, blink-dev, Mike West, Jochen Eisinger, ad...@chromium.org, Yoav Weiss, David...@microsoft.com, cri...@microsoft.com, Anne van Kesteren, p...@eff.org, ta...@mozilla.com, sligh...@chromium.org, Mark Nottingham, Chris Harrelson
LGTM3, but it's only been 22 hours, so maybe wait for a few days to give everyone time time to object if necessary.

Mike West

unread,
Mar 24, 2015, 6:23:33 AM3/24/15
to Philip Jägenstedt, Parisa Tabriz, blink-dev, Jochen Eisinger, ad...@chromium.org, Yoav Weiss, David Walp, Crispin Cowan, Anne van Kesteren, Peter Eckersley, Tanvi Vyas, Alex Russell, Mark Nottingham, Chris Harrelson
On Tue, Mar 24, 2015 at 9:47 AM, Philip Jägenstedt <phi...@opera.com> wrote:
LGTM3, but it's only been 22 hours, so maybe wait for a few days to give everyone time time to object if necessary.

Thanks!

If no one objects overnight, I'll land https://codereview.chromium.org/1032473002 tomorrow. We still have a week or two until the next branch point, so we should have plenty of time to revert if this turns out to be a terrible idea. :)

-mike

Mike West

unread,
Mar 25, 2015, 4:12:18 AM3/25/15
to Philip Jägenstedt, Parisa Tabriz, blink-dev, Jochen Eisinger, ad...@chromium.org, Yoav Weiss, David Walp, Crispin Cowan, Anne van Kesteren, Peter Eckersley, Tanvi Vyas, Alex Russell, Mark Nottingham, Chris Harrelson
Landed https://codereview.chromium.org/1032473002 this morning.

Thanks, all!

-mike

-Mike

Anne van Kesteren

unread,
Mar 25, 2015, 4:59:01 AM3/25/15
to Mike West, blink-dev, Yoav Weiss, David Walp, Crispin Cowan, Peter Eckersley, Tanvi Vyas, Alex Russell, Mark Nottingham
On Mon, Mar 23, 2015 at 11:11 AM, Mike West <mk...@chromium.org> wrote:
> Mozilla hasn't signaled disagreement with the spec, but also hasn't been
> incredibly positive. https://bugzilla.mozilla.org/show_bug.cgi?id=1139297
> covers the feature, but no one has picked it up yet. CCing Anne and Tanvi to
> see if they have thoughts.

The web needs this feature in one form or other. I think we mostly
lack someone to write the patch and push it through at this point.


--
https://annevankesteren.nl/

Mark Nottingham

unread,
Mar 25, 2015, 10:19:01 AM3/25/15
to Mike West, blink-dev, Yoav Weiss, David Walp, Crispin Cowan, Anne van Kesteren, Peter Eckersley, Tanvi Vyas, Alex Russell
Hey Mike,

> Yoav reviewed most of the patches, and mnot@ had some feedback, both of which I'll take as an explicit signal that Akamai supports the plan at the highest levels of their org.


I don't know that I'd go quite that far, but the security folks that I've talked to about it like it too. I'll take another look at the spec and chat with you if I have any remaining concerns.

Cheers,
--
Mark Nottingham https://www.mnot.net/




Mike West

unread,
Mar 25, 2015, 10:25:42 AM3/25/15
to Mark Nottingham, blink-dev, Yoav Weiss, David Walp, Crispin Cowan, Anne van Kesteren, Peter Eckersley, Tanvi Vyas, Alex Russell
On Wed, Mar 25, 2015 at 3:18 PM, Mark Nottingham <mn...@mnot.net> wrote:
> Yoav reviewed most of the patches, and mnot@ had some feedback, both of which I'll take as an explicit signal that Akamai supports the plan at the highest levels of their org.


I don't know that I'd go quite that far

Since both Yoav and Mark commented on this, I'll note that I was trying to be funny. Failing, apparently. :)
 
but the security folks that I've talked to about it like it too. I'll take another look at the spec and chat with you if I have any remaining concerns.

Thanks!

-mike

Mark Nottingham

unread,
Mar 25, 2015, 10:27:11 AM3/25/15
to Mike West, blink-dev, Yoav Weiss, David Walp, Crispin Cowan, Anne van Kesteren, Peter Eckersley, Tanvi Vyas, Alex Russell

> On 25 Mar 2015, at 9:24 am, Mike West <mk...@chromium.org> wrote:
>
> Since both Yoav and Mark commented on this, I'll note that I was trying to be funny. Failing, apparently. :)

You? Never!
Reply all
Reply to author
Forward
0 new messages