W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: fyi: Strict Transport Security specification

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 18 Sep 2009 22:54:43 -0700
Message-ID: <7789133a0909182254k346200ceiead026e4e0e44163@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: "=JeffH" <Jeff.Hodges@kingsmountain.com>, public-webapps@w3.org, Jeff Hodges <jeff.hodges@paypal.com>, Collin Jackson <collin.jackson@sv.cmu.edu>
On Fri, Sep 18, 2009 at 10:30 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> I wonder for example if the client when receiving a
> Strict-Transport-Security header should make a request to the root url
> of the same origin to verify that the server indeed wants to opt in to
> STS.

That's a good idea.  Do you think we should do that for all instances
of Strict-Transport-Security, or just for headers with the
includeSubDomains directive?

Received on Saturday, 19 September 2009 06:03:18 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:18 UTC