- From: Peter Eckersley <pde@eff.org>
- Date: Sat, 7 Mar 2015 02:39:54 -0800
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Jeff Hodges <Jeff.Hodges@kingsmountain.com>, Tanvi Vyas <tanvi@mozilla.com>, Yves Lafon <ylafon@w3.org>, T Guild <ted@w3.org>, Daniel Appelquist <appelquist@gmail.com>, Alex Russell <slightlyoff@google.com>, Ilya Grigorik <igrigorik@google.com>, Yoav Weiss <yoav@yoav.ws>
On Fri, Mar 06, 2015 at 11:16:50AM -0800, Martin Thomson wrote: > I understood this as "If you support this upgrade, might as well just > use HSTS". But can't save the extra bytes by disabling this signal if > HSTS is enabled? Almost. The problem is that if the HSTS header isn't in the preload list, the client needs to see it again occasionally in order for HSTS to be renewed. This could be finnessed in various ways, such as only sending the Prefer header for / or favicon.ico once HSTS is active; only sending it once a certain fraction of maxage has passed, or only sending it with a small probability on each request. -- Peter Eckersley pde@eff.org Technology Projects Director Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
Received on Saturday, 7 March 2015 10:40:24 UTC