W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Mike West <mkwst@google.com>
Date: Fri, 26 Sep 2014 14:26:55 +0200
Message-ID: <CAKXHy=fqV1P5EJUxBGmv4UpmCkNTNPoYVn9wHy6VcV_XdF4wrQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>, Ryan Sleevi <sleevi@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
+sleevi

On Fri, Sep 26, 2014 at 2:24 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Sep 26, 2014 at 2:15 PM, Mike West <mkwst@google.com> wrote:
> > Yes, I think that's true.
>
> Perhaps Gecko's stance that HSTS rewriting happens after Mixed Content
> is correct. At least for non-same-origin HSTS. :-(
>

That's how Chrome implements it, actually. Ryan, et al, are dead-set
against moving HSTS before mixed content checking, as he claims (correctly)
that HSTS only protects those browsers that support it. If we don't throw
errors, we're throwing Safari and IE users under a bus.

-mike
Received on Friday, 26 September 2014 12:27:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC