Re: Alt-Svc and HSTS

so I would agree that hsts and OE wouldn't be expected to be on the same
host. HSTS is used to get an always-https:// semantic and OE is used when
you are accessing an http:// url. HSTS is better simply because https:// is

Normally any http:// access would get redirected manually on a site to
https:// if the HSTS directive wasn't stored on the client yet (and the
https response would populate the directive on the client).. future http://
accesses have their origins automatically redirected inside the client to
https.. so there really isn't a role for OE there.

However you might want to use Alt-Svc within https for load balancing or
shedding purposes.


On Sun, Mar 29, 2015 at 8:57 PM, Tatsuhiro Tsujikawa <>

> Hi,
> I enabled HSTS for a while back.  Few days ago, I
> enabled Alt-Svc at with h2="". OE works
> fine with Firefox Nightly and so far so good.
> Then I got a comment[1] from twitter that "if there is HSTS, all requests
> should be https to start with, so no Alt-Svc."
> The comment is understandable when considering the effect of HSTS, but
> should Alt-Svc really be avoided in this case?  If HSTS is used, we
> probably should do automatic redirect to https from http, so this scenario
> is not a real use case.
> [1]
> Best regards,
> Tatsuhiro Tsujikawa

Received on Monday, 30 March 2015 02:24:06 UTC