- From: Patrick McManus <mcmanus@ducksong.com>
- Date: Sun, 29 Mar 2015 22:23:38 -0400
- To: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAOdDvNqexud-e_tJ+J91=aAfo2S-+zBRo1eDResVtSuMGZ_Jvw@mail.gmail.com>
so I would agree that hsts and OE wouldn't be expected to be on the same host. HSTS is used to get an always-https:// semantic and OE is used when you are accessing an http:// url. HSTS is better simply because https:// is better. Normally any http:// access would get redirected manually on a site to https:// if the HSTS directive wasn't stored on the client yet (and the https response would populate the directive on the client).. future http:// accesses have their origins automatically redirected inside the client to https.. so there really isn't a role for OE there. However you might want to use Alt-Svc within https for load balancing or shedding purposes. -P On Sun, Mar 29, 2015 at 8:57 PM, Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> wrote: > Hi, > > I enabled HSTS for https://nghttp2.org a while back. Few days ago, I > enabled Alt-Svc at http://nghttp2.org with h2="nghttp2.org:443". OE works > fine with Firefox Nightly and so far so good. > Then I got a comment[1] from twitter that "if there is HSTS, all requests > should be https to start with, so no Alt-Svc." > The comment is understandable when considering the effect of HSTS, but > should Alt-Svc really be avoided in this case? If HSTS is used, we > probably should do automatic redirect to https from http, so this scenario > is not a real use case. > > [1] https://mobile.twitter.com/ericlaw/statuses/582217188062298113 > > Best regards, > Tatsuhiro Tsujikawa >
Received on Monday, 30 March 2015 02:24:06 UTC