- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 07 Mar 2014 12:26:21 -0800
- To: Ingo Chao <ichaocssd@googlemail.com>, public-webappsec@w3.org
On 3/7/2014 6:28 AM, Ingo Chao wrote: > I am aware of 6.2. HTTP Request Type > A HSTS Server MUST NOT include the Strict-Transport-Security HTTP > Response Header in HTTP responses conveyed over a non-secure > transport. > > But I don't understand the reasons. Because we don't trust the connection. Adding HSTS to a site not prepared to be fully TLS results in a denial of service for that site that the user won't really understand or easily fix. -Dan Veditz
Received on Friday, 7 March 2014 20:26:47 UTC