HSTS over HTTP question. from Ingo Chao on 2014-03-07 (public-webappsec@w3.org from March 2014)

From: Ingo Chao <ichaocssd@googlemail.com>
Date: Fri, 7 Mar 2014 15:28:09 +0100
To: public-webappsec@w3.org
Message-ID: <CAAET60XVg4cDzG62XGwmNySXMgtdZN1MCLuHx4s0-K8RnKPg9w@mail.gmail.com>

Can someone point me to a discussion on why the browser does not
redirect the very first time it receives an HSTS-header over HTTP?

I just had an issue with ajax requests being blocked in this
situation. The browser, still being on a http page, tries to send
ajaxs calls to (by acknowledging the received HSTS) a https equivalent
of that page (which does not work).

I would have expected that
- the HSTS is ignored when received via HTTP
- or that the browser does a redirect to https when facing a HSTS via HTTP

I am aware of 6.2.  HTTP Request Type
  A HSTS Server MUST NOT include the Strict-Transport-Security HTTP
  Response Header in HTTP responses conveyed over a non-secure
  transport.

But I don't understand the reasons.

Thanks for some hints
Ingo

Received on Friday, 7 March 2014 14:28:47 UTC