Re: HSTS, mixed content, and priming from Martin Thomson on 2015-08-25 (public-webappsec@w3.org from August 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 25 Aug 2015 10:52:30 -0700
To: Richard Barnes <rbarnes@mozilla.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Brian Smith <brian@briansmith.org>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CABkgnnV-iKUaR_=NwTFkQeegmt4Ppsfq==obmooVW0_BRC-xww@mail.gmail.com>

On 25 August 2015 at 10:06, Richard Barnes <rbarnes@mozilla.com> wrote:
> Serving the HSTS header on the resource itself makes me wonder if there are
> deployment issues lurking here.  The site operator has to send the HSTS
> header on every request, instead of just for the resource the priming query
> hits.

I'm OK with that.  As it turns out, there are some HTTP variants that
make repeated header fields close to free, so it's not like it is a
significant cost.  There might be some operational challenges, but if
the server container can be configured to insert the header field on
the way out, then that solves that problem neatly.

Received on Tuesday, 25 August 2015 17:52:57 UTC