|
71 | 71 | <h1 class="p-name no-ref" id="title">Upgrade Insecure Requests</h1>
|
72 | 72 |
|
73 | 73 | <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft,
|
74 |
| - <time class="dt-updated" datetime="2015-07-14">14 July 2015</time></span></h2> |
| 74 | + <time class="dt-updated" datetime="2015-07-15">15 July 2015</time></span></h2> |
75 | 75 |
|
76 | 76 | <div data-fill-with="spec-metadata">
|
77 | 77 | <dl>
|
@@ -168,6 +168,11 @@ <h2 class="no-num no-toc no-ref heading settled" id="contents"><span class="cont
|
168 | 168 | <ul class="toc">
|
169 | 169 | <li><a href="#goals"><span class="secno">1.1</span> <span class="content">Goals</span></a>
|
170 | 170 | <li><a href="#examples"><span class="secno">1.2</span> <span class="content">Examples</span></a>
|
| 171 | + <ul class="toc"> |
| 172 | + <li><a href="#example-subresource"><span class="secno">1.2.1</span> <span class="content">Subresource Upgrades</span></a> |
| 173 | + <li><a href="#example-navigation"><span class="secno">1.2.2</span> <span class="content">Navigational Upgrades</span></a> |
| 174 | + <li><a href="#example-failed"><span class="secno">1.2.3</span> <span class="content">Failed Upgrade</span></a> |
| 175 | + </ul> |
171 | 176 | <li><a href="#recommendations"><span class="secno">1.3</span> <span class="content">Recommendations</span></a>
|
172 | 177 | </ul>
|
173 | 178 | <li><a href="#key-concepts"><span class="secno">2</span> <span class="content">Key Concepts and Terminology</span></a>
|
@@ -350,6 +355,9 @@ <h3 class="heading settled" data-level="1.1" id="goals"><span class="secno">1.1.
|
350 | 355 | <h3 class="heading settled" data-level="1.2" id="examples"><span class="secno">1.2. </span><span class="content">Examples</span><a class="self-link" href="#examples"></a></h3>
|
351 | 356 |
|
352 | 357 |
|
| 358 | + <h4 class="heading settled" data-level="1.2.1" id="example-subresource"><span class="secno">1.2.1. </span><span class="content">Subresource Upgrades</span><a class="self-link" href="#example-subresource"></a></h4> |
| 359 | + |
| 360 | + |
353 | 361 | <div class="example" id="example-35db2d27"><a class="self-link" href="#example-35db2d27"></a>
|
354 | 362 | Megacorp, Inc. wishes to migrate <code>http://example.com/</code> to
|
355 | 363 | <code>https://example.com</code>. They set up their servers
|
@@ -405,6 +413,9 @@ <h3 class="heading settled" data-level="1.2" id="examples"><span class="secno">1
|
405 | 413 | </div>
|
406 | 414 |
|
407 | 415 |
|
| 416 | + <h4 class="heading settled" data-level="1.2.2" id="example-navigation"><span class="secno">1.2.2. </span><span class="content">Navigational Upgrades</span><a class="self-link" href="#example-navigation"></a></h4> |
| 417 | + |
| 418 | + |
408 | 419 | <div class="example" id="example-1b5868ed"><a class="self-link" href="#example-1b5868ed"></a>
|
409 | 420 | Megacorp, Inc. isn’t quite ready to deliver Strict Transport Security
|
410 | 421 | headers <a data-link-type="biblio" href="#biblio-rfc6797">[RFC6797]</a>, but does want to keep users on secure pages when
|
@@ -452,6 +463,33 @@ <h3 class="heading settled" data-level="1.2" id="examples"><span class="secno">1
|
452 | 463 | </div>
|
453 | 464 |
|
454 | 465 |
|
| 466 | + <h4 class="heading settled" data-level="1.2.3" id="example-failed"><span class="secno">1.2.3. </span><span class="content">Failed Upgrade</span><a class="self-link" href="#example-failed"></a></h4> |
| 467 | + |
| 468 | + |
| 469 | + <div class="example" id="example-962745f2"><a class="self-link" href="#example-962745f2"></a> |
| 470 | + Tinycorp, Inc. enabled <code><a data-link-type="dfn" href="#upgrade_insecure_requests">upgrade-insecure-requests</a></code> a bit |
| 471 | + earlier than they should have, as they don’t actually support HTTPS on |
| 472 | + <code>http://cdn.example.com/</code>. Given the following code: |
| 473 | + |
| 474 | + |
| 475 | + <pre><img src="http://cdn.example.com/image.png"> |
| 476 | +</pre> |
| 477 | + |
| 478 | + |
| 479 | + |
| 480 | + <p>User agents will upgrade requests, as described in <a href="#example-subresource">§1.2.1 Subresource Upgrades</a>, |
| 481 | + rewriting the URL as <code>https://cdn.example.com/image.png</code>. As the |
| 482 | + server doesn’t respond to secure requests, this results in a network error.</p> |
| 483 | + |
| 484 | + |
| 485 | + |
| 486 | + <p>There is no fallback in this scenario: the user agent acts just as though |
| 487 | + the request had been intentionally made, and the request fails.</p> |
| 488 | + |
| 489 | + |
| 490 | + </div> |
| 491 | + |
| 492 | + |
455 | 493 | <h3 class="heading settled" data-level="1.3" id="recommendations"><span class="secno">1.3. </span><span class="content">Recommendations</span><a class="self-link" href="#recommendations"></a></h3>
|
456 | 494 |
|
457 | 495 |
|
|
0 commit comments