W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2015

Re: HSTS Priming, continued.

From: Mike West <mkwst@google.com>
Date: Fri, 6 Nov 2015 18:52:10 +0100
Message-ID: <CAKXHy=cMq1b6pdH2eHKQf7f9R=egsWyrNEdg5LEB_kf2M9zGfA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Richard Barnes <rbarnes@mozilla.com>, Jeff Hodges <jeff.hodges@paypal.com>, Anne van Kesteren <annevk@annevk.nl>, Adam Langley <agl@google.com>
On Fri, Nov 6, 2015 at 6:40 PM, Brad Hill <hillbrad@gmail.com> wrote:

> I like it.  Even if you don't want to apply it normatively to navigational
> requests, it might be useful to suggest that the prefetcher, if one exists,
> should perform priming.
>

Sounds reasonable:
https://github.com/mikewest/hsts-priming/commit/75877a33528c0c3893d599dd5c26864db4538313

That said, the concerns I've heard from folks to whom I've shopped this
proposal have centered around load (especially in geographic regions that
blackhole requests to port 443 in a way that fails slowly rather than
quickly). I'd like to start with something small that won't have a
seriously detrimental impact on load times.

Also, selfishly, it's a lot easier to poke at subresource requests in
Blink, as we can reuse much of the infrastructure that CORS preflights have
paved. Navigations are harder, especially as the implementation is a bit in
flux at the moment.

-mike
Received on Friday, 6 November 2015 17:52:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC