- From: Matt Menke <notifications@github.com>
- Date: Thu, 26 Sep 2019 10:55:55 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 26 September 2019 17:56:17 UTC
The Chrome team has discussed internally what to do about this. There was pretty strong sentiment that it was valuable to learn HSTS information from all subresources, even from cross-origin requests, but we could get by with only applying them to top level navigations (without any storage isolation key). Within the next year, the plan is to auto-upgrade all HTTP resources made in HTTPS contexts, so that just leaves us HTTP requests to HSTS domains made in HTTP contexts, and whether we want to apply HSTS to those as well - we could double-key the HSTS information for those, and just do a cross--double-key check for navigations. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/920#issuecomment-535617381
Received on Thursday, 26 September 2019 17:56:17 UTC