W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: Alt-Svc and HSTS

From: Patrick McManus <mcmanus@ducksong.com>
Date: Sun, 29 Mar 2015 22:23:38 -0400
Message-ID: <CAOdDvNqexud-e_tJ+J91=aAfo2S-+zBRo1eDResVtSuMGZ_Jvw@mail.gmail.com>
To: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
so I would agree that hsts and OE wouldn't be expected to be on the same
host. HSTS is used to get an always-https:// semantic and OE is used when
you are accessing an http:// url. HSTS is better simply because https:// is
better.

Normally any http:// access would get redirected manually on a site to
https:// if the HSTS directive wasn't stored on the client yet (and the
https response would populate the directive on the client).. future http://
accesses have their origins automatically redirected inside the client to
https.. so there really isn't a role for OE there.

However you might want to use Alt-Svc within https for load balancing or
shedding purposes.

-P

On Sun, Mar 29, 2015 at 8:57 PM, Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
wrote:

> Hi,
>
> I enabled HSTS for https://nghttp2.org a while back.  Few days ago, I
> enabled Alt-Svc at http://nghttp2.org with h2="nghttp2.org:443". OE works
> fine with Firefox Nightly and so far so good.
> Then I got a comment[1] from twitter that "if there is HSTS, all requests
> should be https to start with, so no Alt-Svc."
> The comment is understandable when considering the effect of HSTS, but
> should Alt-Svc really be avoided in this case?  If HSTS is used, we
> probably should do automatic redirect to https from http, so this scenario
> is not a real use case.
>
> [1] https://mobile.twitter.com/ericlaw/statuses/582217188062298113
>
> Best regards,
> Tatsuhiro Tsujikawa
>
Received on Monday, 30 March 2015 02:24:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC