W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

HSTS over HTTP question.

From: Ingo Chao <ichaocssd@googlemail.com>
Date: Fri, 7 Mar 2014 15:28:09 +0100
Message-ID: <CAAET60XVg4cDzG62XGwmNySXMgtdZN1MCLuHx4s0-K8RnKPg9w@mail.gmail.com>
To: public-webappsec@w3.org
Can someone point me to a discussion on why the browser does not
redirect the very first time it receives an HSTS-header over HTTP?

I just had an issue with ajax requests being blocked in this
situation. The browser, still being on a http page, tries to send
ajaxs calls to (by acknowledging the received HSTS) a https equivalent
of that page (which does not work).

I would have expected that
- the HSTS is ignored when received via HTTP
- or that the browser does a redirect to https when facing a HSTS via HTTP

I am aware of 6.2.  HTTP Request Type
  A HSTS Server MUST NOT include the Strict-Transport-Security HTTP
  Response Header in HTTP responses conveyed over a non-secure

But I don't understand the reasons.

Thanks for some hints
Received on Friday, 7 March 2014 14:28:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC