Re: [UPGRADE]: What's left? from Martin Thomson on 2015-03-06 (public-webappsec@w3.org from March 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 6 Mar 2015 11:16:50 -0800
To: Mike West <mkwst@google.com>
Cc: Peter Eckersley <pde@eff.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Jeff Hodges <Jeff.Hodges@kingsmountain.com>, Tanvi Vyas <tanvi@mozilla.com>, Yves Lafon <ylafon@w3.org>, T Guild <ted@w3.org>, Daniel Appelquist <appelquist@gmail.com>, Alex Russell <slightlyoff@google.com>, Ilya Grigorik <igrigorik@google.com>, Yoav Weiss <yoav@yoav.ws>
Message-ID: <CABkgnnWwGXfz3uF5QtwT1Hi_2v2fpB0ouuoTevWC3e1nwAOQDg@mail.gmail.com>

On 6 March 2015 at 10:43, Mike West <mkwst@google.com> wrote:
> I don't understand why HSTS needs to be conditionally set. Presumably you're
> only redirecting "safely upgradable requests" to HTTPS if you're this spec's
> target audience.

I understood this as "If you support this upgrade, might as well just
use HSTS".  But can't save the extra bytes by disabling this signal if
HSTS is enabled?

Received on Friday, 6 March 2015 19:17:22 UTC