- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 19 Sep 2009 07:49:20 -0700
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: "=JeffH" <Jeff.Hodges@kingsmountain.com>, public-webapps@w3.org, Jeff Hodges <jeff.hodges@paypal.com>, Collin Jackson <collin.jackson@sv.cmu.edu>
On Sat, Sep 19, 2009 at 1:46 AM, Jonas Sicking <jonas@sicking.cc> wrote: > (am I understanding it correctly that http requests can't opt in to STS?) Well, they opt in by redirecting to HTTPS and then sending the header over HTTPS. :) One virtue of your algorithm is that there are no extra requests in the common cases. For example, if the site does everything over HTTPS, then we never have to confirm the STS directive. Also, if the user enters the site by typing "example.com" in the location bar, then we also won't make any extra requests because the first HTTPS URL we'll see is "/" anyway. The only potentially tricky situation is that, when we look for confirmation, we need to be prepared to deal with an attacker who blocks that requests (because we're now in an attack scenario), but I think we can deal with that by stalling the HTTP request while we wait for confirmation. Adam
Received on Saturday, 19 September 2009 14:51:17 UTC