W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: HSTS, mixed content, and priming

From: Eric Mill <eric@konklone.com>
Date: Tue, 25 Aug 2015 15:17:44 -0400
Message-ID: <CANBOYLVBxdA+SuAhQ+Xox40_eCng1WBcjoC2bnR8sKJMgGjfzA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Richard Barnes <rbarnes@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, Brian Smith <brian@briansmith.org>, WebAppSec WG <public-webappsec@w3.org>
For the specifics of whether to have the header expected on the root or the
resource, it's probably worth hearing from some people who manage
large-scale resource hosts to see which one presents fewer configuration
problems.

-- Eric

On Tue, Aug 25, 2015 at 1:52 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 25 August 2015 at 10:06, Richard Barnes <rbarnes@mozilla.com> wrote:
> > Serving the HSTS header on the resource itself makes me wonder if there
> are
> > deployment issues lurking here.  The site operator has to send the HSTS
> > header on every request, instead of just for the resource the priming
> query
> > hits.
>
>
> I'm OK with that.  As it turns out, there are some HTTP variants that
> make repeated header fields close to free, so it's not like it is a
> significant cost.  There might be some operational challenges, but if
> the server container can be configured to insert the header field on
> the way out, then that solves that problem neatly.
>
>


-- 
konklone.com | @konklone <https://twitter.com/konklone>
Received on Tuesday, 25 August 2015 19:18:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC