Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTPS Upgrades #185

Open
christhompson opened this issue May 11, 2023 · 4 comments
Open

HTTPS Upgrades #185

christhompson opened this issue May 11, 2023 · 4 comments
Labels
topic: fetch Relates to the Fetch API topic: networking venue: WHATWG Fetch Workstream

Comments

@christhompson
Copy link

christhompson commented May 11, 2023
edited by annevk
Loading

WebKittens

@annevk @bailey

Title of the spec

HTTPS Upgrades

URL to the spec

https://fetch.spec.whatwg.org/

URL to the spec's repository

https://github.com/whatwg/fetch

Issue Tracker URL

No response

Explainer URL

https://github.com/dadrian/https-upgrade/blob/main/explainer.md

TAG Design Review URL

No response

Mozilla standards-positions issue URL

mozilla/standards-positions#800

WebKit Bugzilla URL

No response

Radar URL

No response

Description

“HTTPS Upgrades” is a proposal to standardize opportunistic upgrades of idempotent main frame navigation requests to HTTPS with fallback to HTTP on failure. We’ve written an explainer and have opened a proposal issue and PR on the Fetch spec for how we think we could add this to the spec.

The ChromeStatus entry for this feature is https://chromestatus.com/feature/6056181032812544. We currently have a prototype implementation enabled in Chrome’s pre-release channels (Canary/Dev/Beta).
@christhompson christhompson mentioned this issue Jun 7, 2023
Closed
1 task
@annevk
Copy link
Contributor

annevk commented Jun 9, 2023
edited
Loading

What's not entirely clear to me about this proposal is whether it regresses on Mixed Content invariants when the navigation is upgraded. The specification PR doesn't seem like it's quite ready for review and I filed dadrian/https-upgrade#3 on the explainer.

See also WICG/proposals#63 (comment) which never was directly addressed to my knowledge.

@christhompson
Copy link
Author

Thanks for filing the Explainer issue. Our goal is to not regress any Mixed Content invariants, so if anything stands out as potentially problematic we'd want to try to address it. I've tried to address the questions regarding mixed content vs. HTTPS Upgrades there and on WICG/proposals#63 (comment). We've iterated on the spec recently and I think we will be comfortable marking it as ready for review by Fetch owners soon.

@mozfreddyb
Copy link

It seems there is an httpsByDefault feature in development. Could you clarify if this is supposed to be interoperable with this proposal here? If so, can we assume that the standards position on this is positive?

https://bugs.webkit.org/show_bug.cgi?id=277016 / WebKit/WebKit#31171

@annevk
Copy link
Contributor

annevk commented Sep 29, 2024

WebKit is generally supportive of moving the web to HTTPS. Given that the PR linked in OP still has a number of open issues I'm a bit hesitant to proposing marking this as "position: support" as we'd like to see those issues addressed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic: fetch Relates to the Fetch API topic: networking venue: WHATWG Fetch Workstream
Projects
Standards Positions Review Backlog
Status: Needs assignees
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hober @christhompson @annevk @mozfreddyb