Re: HSTS, mixed content, and priming from Tanvi Vyas on 2015-08-25 (public-webappsec@w3.org from August 2015)

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Mon, 24 Aug 2015 22:57:03 -0700
To: Richard Barnes <rbarnes@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <55DC03AF.9060300@mozilla.com>

On 8/24/15 8:02 AM, Richard Barnes wrote:
> ## Is HSTS priming an expensive hack to paper over a temporary problem?
>
> In terms of "expense": It's worth noting that HSTS priming would only 
> be done for potentially mixed-content requests, in cases where the 
> HSTS state of the remote host is unknown.  Current Firefox telemetry 
> indicates that around 2/25% of page loads have mixed content, which 
> places an upper bound on the number of additional queries.  If you 
> load 10 pages, each of which has 100 links to the same insecure host, 
> you still only get one priming query.
This assumes that the page sets the HSTS header.  If the page doesn't 
set the HSTS header, will browsers send the priming query for all these 
hundreds of requests?  Should we cache non-HSTS priming responses for 
some short amount of time?

Received on Tuesday, 25 August 2015 05:57:37 UTC