Upgrade-Insecure-Requests: 1 Added To Any Request

394 views
Skip to first unread message

PhistucK

unread,
Nov 10, 2015, 1:17:08 PM11/10/15
to net-dev
Looks like Chrome adds the Upgrade-Insecure-Requests: 1 HTTP header to every request.
A few HTTP websites I tried that did not include anything related in their response and Chrome still sent those headers -
http://www.w3.org/Protocols/rfc1341/5_Content-Transfer-Encoding.html
http://www.rarlab.com/download.htm
http://walla.com
http://www.walla.co.il

This seems kind of wasteful (I recall you always try to cut down the number of bytes over the wire...).

Is this intentional?


PhistucK

Mike West

unread,
Nov 10, 2015, 2:04:16 PM11/10/15
to PhistucK, net-dev
1. The header should only be sent for navigational requests (e.g. not for subresource requests like JavaScript or stylesheets): https://w3c.github.io/webappsec-upgrade-insecure-requests/#feature-detect. If we're sending it for more than the navigational request, then it's a bug, and I'll fix it.

2. The header name used to be shorter (`https`) but that broke the internet. :/

I agree that it's still more wasteful than it could be. I'm hopeful that we'll find good ways of cutting down the conditions under which we send the header. For instance, we can and should drop it for requests to preloaded HSTS hosts.

-mike

-mike

--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CABc02_%2BHSMcaV2N2G6aRECch5BxDS8aBWLcWqBV3uqLr349r2g%40mail.gmail.com.

PhistucK

unread,
Nov 10, 2015, 2:14:53 PM11/10/15
to Mike West, net-dev
1. No, it is only sent with navigational requests, I should have tested it beforehand and be more specific.
2. Splendid. :P

What about only sending it in response to the response header for the next request (resource or not)?
Probably flakey or inconsistent (what if a page does not need additional requests?)...

I know the team worked hard to remove some headers in the past, or shorten them (User-Agent), so it surprises me that this (nice) feature loses some of the savings we achieved, even if only in navigational requests... :(

Thank you for the explanation!


PhistucK
Reply all
Reply to author
Forward
0 new messages