Re: fyi: Strict Transport Security specification

On Fri, Sep 18, 2009 at 10:30 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> I wonder for example if the client when receiving a
> Strict-Transport-Security header should make a request to the root url
> of the same origin to verify that the server indeed wants to opt in to
> STS.

That's a good idea.  Do you think we should do that for all instances
of Strict-Transport-Security, or just for headers with the
includeSubDomains directive?

Adam

Received on Saturday, 19 September 2009 06:03:18 UTC