Alt-Svc and HSTS from Tatsuhiro Tsujikawa on 2015-03-30 (ietf-http-wg@w3.org from January to March 2015)

From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Mon, 30 Mar 2015 09:57:01 +0900
To: ietf-http-wg@w3.org
Message-ID: <CAPyZ6=+smQVkn_4Urtj__1uiGRKn-x8Vs0JrnKW1DhM_ZCYH9Q@mail.gmail.com>

Hi,

I enabled HSTS for https://nghttp2.org a while back.  Few days ago, I
enabled Alt-Svc at http://nghttp2.org with h2="nghttp2.org:443". OE works
fine with Firefox Nightly and so far so good.
Then I got a comment[1] from twitter that "if there is HSTS, all requests
should be https to start with, so no Alt-Svc."
The comment is understandable when considering the effect of HSTS, but
should Alt-Svc really be avoided in this case?  If HSTS is used, we
probably should do automatic redirect to https from http, so this scenario
is not a real use case.

[1] https://mobile.twitter.com/ericlaw/statuses/582217188062298113

Best regards,
Tatsuhiro Tsujikawa

Received on Monday, 30 March 2015 00:57:29 UTC