- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 18 Sep 2009 22:54:43 -0700
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: "=JeffH" <Jeff.Hodges@kingsmountain.com>, public-webapps@w3.org, Jeff Hodges <jeff.hodges@paypal.com>, Collin Jackson <collin.jackson@sv.cmu.edu>
On Fri, Sep 18, 2009 at 10:30 PM, Jonas Sicking <jonas@sicking.cc> wrote: > I wonder for example if the client when receiving a > Strict-Transport-Security header should make a request to the root url > of the same origin to verify that the server indeed wants to opt in to > STS. That's a good idea. Do you think we should do that for all instances of Strict-Transport-Security, or just for headers with the includeSubDomains directive? Adam
Received on Saturday, 19 September 2009 06:03:18 UTC