W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 26 Sep 2014 17:38:50 -0700
Message-ID: <5426071A.3080806@mozilla.com>
To: Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>
CC: WebAppSec WG <public-webappsec@w3.org>, Tanvi Vyas <tanvi@mozilla.com>
On 9/26/2014 5:24 AM, Anne van Kesteren wrote:
> Perhaps Gecko's stance that HSTS rewriting happens after Mixed Content
> is correct. At least for non-same-origin HSTS. :-(

Is it a "stance" or just how the code happened to work? The policy
enforcement mechanism for content loading is undergoing changes in Gecko
and unless this was a conscious design it might just start working the
other way.


-Dan Veditz
Received on Saturday, 27 September 2014 00:39:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC