W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: HSTS, mixed content, and priming

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 25 Aug 2015 10:52:30 -0700
Message-ID: <CABkgnnV-iKUaR_=NwTFkQeegmt4Ppsfq==obmooVW0_BRC-xww@mail.gmail.com>
To: Richard Barnes <rbarnes@mozilla.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Brian Smith <brian@briansmith.org>, WebAppSec WG <public-webappsec@w3.org>
On 25 August 2015 at 10:06, Richard Barnes <rbarnes@mozilla.com> wrote:
> Serving the HSTS header on the resource itself makes me wonder if there are
> deployment issues lurking here.  The site operator has to send the HSTS
> header on every request, instead of just for the resource the priming query
> hits.

I'm OK with that.  As it turns out, there are some HTTP variants that
make repeated header fields close to free, so it's not like it is a
significant cost.  There might be some operational challenges, but if
the server container can be configured to insert the header field on
the way out, then that solves that problem neatly.
Received on Tuesday, 25 August 2015 17:52:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC