Re: [MIX] Interaction between HSTS and mixed content blocking

On Wed, Nov 19, 2014 at 1:07 PM, Brian Smith <> wrote:
> I lean toward what Henri suggested: developer tools should make noise,
> but the browser should do the redirect to the HTTPS origin instead of
> blocking.

Chrome applies mixed-content rules before HSTS redirects are
considered and it's unlikely that we would change that.

Otherwise sites randomly work or not based on whether the profile has
previously visited (and thus remembered HSTS for) an origin.

Also, it leaves mixed-content issues to bite people using browsers
that don't implement HSTS (and possibly allow dangerous loads).



Received on Wednesday, 19 November 2014 21:31:02 UTC