HTTPS Upgrades

[christhompson]

WebKittens

@annevk @bailey

Title of the spec

HTTPS Upgrades

URL to the spec

https://fetch.spec.whatwg.org/

URL to the spec's repository

https://github.com/whatwg/fetch

Issue Tracker URL

No response

Explainer URL

https://github.com/dadrian/https-upgrade/blob/main/explainer.md

TAG Design Review URL

No response

Mozilla standards-positions issue URL

mozilla/standards-positions#800

WebKit Bugzilla URL

No response

Radar URL

No response

Description

“HTTPS Upgrades” is a proposal to standardize opportunistic upgrades of idempotent main frame navigation requests to HTTPS with fallback to HTTP on failure. We’ve written an explainer and have opened a proposal issue and PR on the Fetch spec for how we think we could add this to the spec.

The ChromeStatus entry for this feature is https://chromestatus.com/feature/6056181032812544. We currently have a prototype implementation enabled in Chrome’s pre-release channels (Canary/Dev/Beta).

[annevk]

What's not entirely clear to me about this proposal is whether it regresses on Mixed Content invariants when the navigation is upgraded. The specification PR doesn't seem like it's quite ready for review and I filed dadrian/https-upgrade#3 on the explainer.

See also WICG/proposals#63 (comment) which never was directly addressed to my knowledge.

[christhompson]

Thanks for filing the Explainer issue. Our goal is to not regress any Mixed Content invariants, so if anything stands out as potentially problematic we'd want to try to address it. I've tried to address the questions regarding mixed content vs. HTTPS Upgrades there and on WICG/proposals#63 (comment). We've iterated on the spec recently and I think we will be comfortable marking it as ready for review by Fetch owners soon.

[mozfreddyb]

It seems there is an httpsByDefault feature in development. Could you clarify if this is supposed to be interoperable with this proposal here? If so, can we assume that the standards position on this is positive?

https://bugs.webkit.org/show_bug.cgi?id=277016 / WebKit/WebKit#31171

[annevk]

WebKit is generally supportive of moving the web to HTTPS. Given that the PR linked in OP still has a number of open issues I'm a bit hesitant to proposing marking this as "position: support" as we'd like to see those issues addressed.