- From: Adam Langley <agl@google.com>
- Date: Wed, 19 Nov 2014 13:30:15 -0800
- To: Brian Smith <brian@briansmith.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 19, 2014 at 1:07 PM, Brian Smith <brian@briansmith.org> wrote: > I lean toward what Henri suggested: developer tools should make noise, > but the browser should do the redirect to the HTTPS origin instead of > blocking. Chrome applies mixed-content rules before HSTS redirects are considered and it's unlikely that we would change that. Otherwise sites randomly work or not based on whether the profile has previously visited (and thus remembered HSTS for) an origin. Also, it leaves mixed-content issues to bite people using browsers that don't implement HSTS (and possibly allow dangerous loads). Cheers AGL
Received on Wednesday, 19 November 2014 21:31:02 UTC