We’ve been talking about https://github.com/mikewest/cors-rfc1918 and https://github.com/mikewest/hsts-priming in the Web Application Security WG for some time now. It would be lovely if we could transfer these documents to WICG to ensure that ongoing discussion is as open as possible.
Although [RFC1918] has specified a distinction between “private” and “public” internet addresses for over a decade, user agents haven’t made much progress at segregating the one from the other. Websites on the public internet can make requests to internal devices and servers, which enable a number of malicious behaviors, including attacks on users’ routers like those documented in [DRIVE-BY-PHARMING] (and, more recenly, [SOHO-PHARMING] and [CSRF-EXPLOIT-KIT]).
Here, we propose a mitigation against these kinds of attacks that would require internal devices to explicitly opt-in to requests from the public internet.
Blink has a partial implementation of this mechanism behind a flag.
This document spells out a mixed-content mitigation that would allow user agents to apply HSTS upgrades for insecure resources before applying mixed-content checks. Ideally, we’d be able to transparently upgrade HSTS’d resources for all sites rather than blocking them. It’s something of the inverse of
Upgrade-Insecure-Requests: that mechanism allows a site to assert that its dependencies are secure, this mechanism allows a dependency to assert that it should never be embedded insecurely.
Firefox has an implementation of this mechanism behind a flag.