Re: Alt-Svc and HSTS

Hi,

On Mon, Mar 30, 2015 at 11:23 AM, Patrick McManus <mcmanus@ducksong.com>
wrote:

> so I would agree that hsts and OE wouldn't be expected to be on the same
> host. HSTS is used to get an always-https:// semantic and OE is used when
> you are accessing an http:// url. HSTS is better simply because https://
> is better.
>
> Normally any http:// access would get redirected manually on a site to
> https:// if the HSTS directive wasn't stored on the client yet (and the
> https response would populate the directive on the client).. future http://
> accesses have their origins automatically redirected inside the client to
> https.. so there really isn't a role for OE there.
>
> However you might want to use Alt-Svc within https for load balancing or
> shedding purposes.
>
>
​Thanks.  Our web site provides http and https endpoints for testing
purpose, so it would be better to remove HSTS from https in this particular
case.

Best regards,
Tatsuhiro Tsujikawa



> -P
>
> On Sun, Mar 29, 2015 at 8:57 PM, Tatsuhiro Tsujikawa <
> tatsuhiro.t@gmail.com> wrote:
>
>> Hi,
>>
>> I enabled HSTS for https://nghttp2.org a while back.  Few days ago, I
>> enabled Alt-Svc at http://nghttp2.org with h2="nghttp2.org:443". OE
>> works fine with Firefox Nightly and so far so good.
>> Then I got a comment[1] from twitter that "if there is HSTS, all requests
>> should be https to start with, so no Alt-Svc."
>> The comment is understandable when considering the effect of HSTS, but
>> should Alt-Svc really be avoided in this case?  If HSTS is used, we
>> probably should do automatic redirect to https from http, so this scenario
>> is not a real use case.
>>
>> [1] https://mobile.twitter.com/ericlaw/statuses/582217188062298113
>>
>> Best regards,
>> Tatsuhiro Tsujikawa
>>
>
>