- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 19 Nov 2014 22:47:44 +0100
- To: Adam Langley <agl@google.com>
- Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 19, 2014 at 10:30 PM, Adam Langley <agl@google.com> wrote: > Otherwise sites randomly work or not based on whether the profile has > previously visited (and thus remembered HSTS for) an origin. If you do a same-origin check as well you would only rewrite rules that would have to be in the user's HSTS cache (unless HSTS is weirdly configured). > Also, it leaves mixed-content issues to bite people using browsers > that don't implement HSTS (and possibly allow dangerous loads). Not implementing HSTS should be treated as a security bug at this point. I do think it's worth considering if there's some way we can address this problem as it makes deployment hard. E.g. have a header along these lines: HTTPS-Domains: w3.org, lists.w3.org which would rewrite the URLs matching those domains within the resource to use HTTPS. That way you do not need to rewrite tons of static resources, but can upgrade the resource's links and subresources through an HTTP header that can be added via changing some server configuration. -- https://annevankesteren.nl/
Received on Wednesday, 19 November 2014 21:48:17 UTC