- From: Peter Eckersley <pde@eff.org>
- Date: Mon, 2 Feb 2015 16:39:46 -0800
- To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Mon, Feb 02, 2015 at 01:53:10PM -0500, Daniel Kahn Gillmor wrote: > > I'll ask the obvious question explicitly: > > Why does this need to be a separate header at all? Why not just assume > that sites with STS set should opportunistically upgrade http resources > to https? Arguably we may want it to be a separate header, or a new HSTS directive, so that sites don't trigger mixed content breakage in the already-widely-deployed populations of Chrome and Firefox browsers that block before upgrading. -- Peter Eckersley pde@eff.org Technology Projects Director Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
Received on Tuesday, 3 February 2015 09:31:24 UTC