W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: Alt-Svc and HSTS

From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Mon, 30 Mar 2015 15:53:21 +0900
Message-ID: <CAPyZ6=LKeCDHCpS5T4Vxe6u1GKBrdbLS_RkT3fhZsoOygdKAvw@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Hi,

On Mon, Mar 30, 2015 at 11:23 AM, Patrick McManus <mcmanus@ducksong.com>
wrote:

> so I would agree that hsts and OE wouldn't be expected to be on the same
> host. HSTS is used to get an always-https:// semantic and OE is used when
> you are accessing an http:// url. HSTS is better simply because https://
> is better.
>
> Normally any http:// access would get redirected manually on a site to
> https:// if the HSTS directive wasn't stored on the client yet (and the
> https response would populate the directive on the client).. future http://
> accesses have their origins automatically redirected inside the client to
> https.. so there really isn't a role for OE there.
>
> However you might want to use Alt-Svc within https for load balancing or
> shedding purposes.
>
>
​Thanks.  Our web site provides http and https endpoints for testing
purpose, so it would be better to remove HSTS from https in this particular
case.

Best regards,
Tatsuhiro Tsujikawa



> -P
>
> On Sun, Mar 29, 2015 at 8:57 PM, Tatsuhiro Tsujikawa <
> tatsuhiro.t@gmail.com> wrote:
>
>> Hi,
>>
>> I enabled HSTS for https://nghttp2.org a while back.  Few days ago, I
>> enabled Alt-Svc at http://nghttp2.org with h2="nghttp2.org:443". OE
>> works fine with Firefox Nightly and so far so good.
>> Then I got a comment[1] from twitter that "if there is HSTS, all requests
>> should be https to start with, so no Alt-Svc."
>> The comment is understandable when considering the effect of HSTS, but
>> should Alt-Svc really be avoided in this case?  If HSTS is used, we
>> probably should do automatic redirect to https from http, so this scenario
>> is not a real use case.
>>
>> [1] https://mobile.twitter.com/ericlaw/statuses/582217188062298113
>>
>> Best regards,
>> Tatsuhiro Tsujikawa
>>
>
>
Received on Monday, 30 March 2015 06:54:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC