Thanks for making this security-positive change! Quick question -- what impact, if any, would this have on captive portals? I know some folks visit sites like http://neverssl.com/ to access captive portal pages. If I understand correctly, these pages would still work, since a resource only available via http will still be accessible?
(As a further complication, I recall that http://neverssl.com/ had to use https at some point to get a cacheable page that requests an http-only resource, triggering the captive portal -- we should make sure this doesn't break). Thanks, -Caleb On Wednesday, July 12, 2023 at 1:06:55 AM UTC-4 Yoav Weiss wrote: > M115 experimentation LGTM > > On Tue, Jul 11, 2023, 22:53 Chris Thompson <cth...@chromium.org> wrote: > >> Quick additional context for this intent: we have previously sent an >> Intent-to-Ship for this feature (see >> https://groups.google.com/a/chromium.org/g/blink-dev/c/cAS525en8XE/m/OdMMGgLXAgAJ) >> >> but we are separately requesting approval to experiment in M115 Stable as >> our spec change <https://github.com/whatwg/fetch/pull/1655> has not yet >> landed. >> >> On Tue, Jul 11, 2023 at 1:51 PM Chris Thompson <cth...@chromium.org> >> wrote: >> >>> Contact emailscth...@chromium.org, dadr...@google.com >>> >>> Explainerhttps://github.com/dadrian/https-upgrade/blob/main/explainer.md >>> >>> Specificationhttps://github.com/whatwg/fetch/pull/1655 >>> >>> Summary >>> >>> Automatically and optimistically upgrade all main-frame navigations to >>> HTTPS, with fast fallback to HTTP. >>> >>> >>> Blink componentInternals>Network>SSL>HttpsUpgrades >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Internals%3ENetwork%3ESSL%3EHttpsUpgrades> >>> >>> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/853 >>> >>> TAG review statusPending >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> >>> >>> *Gecko*: Positive ( >>> https://github.com/mozilla/standards-positions/issues/800) Firefox is >>> offering a similar feature already in their private browsing mode by default >>> >>> *WebKit*: No signal ( >>> https://github.com/WebKit/standards-positions/issues/185) >>> >>> *Web developers*: No signals No specific web developer signals. This >>> feature is not exposed directly to web developers or users. However, HTTPS >>> adoption is now standard practice (>90% of page loads in Chrome use HTTPS), >>> and automatically upgrading navigations to HTTPS would avoid unnecessary >>> redirects from HTTP to HTTPS for site owners. The >>> `upgrade-insecure-requests` header has some similar functionality, and >>> according to HTTP-Archive is found on ~6% of all requests. >>> >>> *Other signals*: >>> >>> WebView application risks >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> >>> >>> >>> Goals for experimentation >>> >>> Identify and assess breakage (e.g., sites that allow HTTPS connections >>> but are broken or serve different content) and identify any blocking >>> implementation bugs. >>> >>> Ongoing technical constraints >>> >>> None -- we believe we are ready to ship pending approvals on our >>> Intent-to-Ship. >>> >>> Debuggability >>> >>> Chrome will upgrade these navigations to HTTPS using a 307 internal >>> redirect, which will be visible in the Network panel of Developer Tools. >>> These redirects include a `Non-Authoritative-Reason: HttpsUpgrades` header >>> to identify the source. >>> >>> >>> Will this feature be supported on all six Blink platforms (Windows, Mac, >>> Linux, Chrome OS, Android, and Android WebView)?No >>> >>> Currently not available on Android WebView. We are implementing this >>> first for Chrome and will consider bringing this to WebView (likely as an >>> embedder opt-in) as follow up work. >>> >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>> ?Yes (https://wpt.fyi/results/https-upgrades/tentative) >>> >>> Flag name on chrome://flagshttps-upgrades >>> >>> Finch feature nameHttpsUpgrades >>> >>> Non-finch justificationNone >>> >>> Requires code in //chrome?True >>> >>> Tracking bug >>> https://bugs.chromium.org/p/chromium/issues/detail?id=1394910 >>> >>> Launch bughttps://launch.corp.google.com/launch/4235192 >>> >>> Estimated milestones >>> Shipping on desktop 115 >>> DevTrial on desktop 115 >>> Shipping on Android 115 >>> DevTrial on Android 115 >>> >>> Anticipated spec changes >>> >>> Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way). >>> https://github.com/whatwg/fetch/pull/1655 >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/6056181032812544 >>> >>> Links to previous Intent discussions >>> Intent to ship: >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/cAS525en8XE/m/OdMMGgLXAgAJ >>> Intent to prototype: >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/mgJqym5-Xek/m/0EAN6v7CCQAJ >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com/>. >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALMy46S8GpznopFP2MdeoBcgN0SfnqZoOM2xrjXYNA9fPr7uYg%40mail.gmail.com >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALMy46S8GpznopFP2MdeoBcgN0SfnqZoOM2xrjXYNA9fPr7uYg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/a06c3cbe-d815-459d-89bb-9927df94923en%40chromium.org.
