- From: Peter Eckersley <pde@eff.org>
- Date: Sat, 7 Mar 2015 02:36:30 -0800
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Jeff Hodges <Jeff.Hodges@kingsmountain.com>, Tanvi Vyas <tanvi@mozilla.com>, Yves Lafon <ylafon@w3.org>, T Guild <ted@w3.org>, Daniel Appelquist <appelquist@gmail.com>, Alex Russell <slightlyoff@google.com>, Ilya Grigorik <igrigorik@google.com>, Yoav Weiss <yoav@yoav.ws>
On Fri, Mar 06, 2015 at 07:43:55PM +0100, Mike West wrote: > I don't understand why HSTS needs to be conditionally set. Presumably > you're only redirecting "safely upgradable requests" to HTTPS if you're > this spec's target audience. It's very important that HSTS be conditionally settable, because even if the site itself only conditionally redirects to HTTPS, inbound links from other sites will send old clients to the HTTPS site, and they'll pick up the HSTS header that way. Now that I think about it, some sites will also need to serve conditional downgrade redirects from HTTPS -> HTTP if the header is absent, in order to preempt mixed content breakage :( -- Peter Eckersley pde@eff.org Technology Projects Director Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
Received on Saturday, 7 March 2015 10:37:02 UTC