Re: HSTS Priming, continued. from Brad Hill on 2015-11-06 (public-webappsec@w3.org from November 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 06 Nov 2015 17:55:26 +0000
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Richard Barnes <rbarnes@mozilla.com>, Jeff Hodges <jeff.hodges@paypal.com>, Anne van Kesteren <annevk@annevk.nl>, Adam Langley <agl@google.com>
Message-ID: <CAEeYn8gVN8ohq0q5UtyYcPLvDPcnB0=q59PFZ4e3D2SEGEjuvg@mail.gmail.com>

Makes sense, baby steps are good.

On Fri, Nov 6, 2015 at 9:52 AM Mike West <mkwst@google.com> wrote:

> On Fri, Nov 6, 2015 at 6:40 PM, Brad Hill <hillbrad@gmail.com> wrote:
>
>> I like it.  Even if you don't want to apply it normatively to
>> navigational requests, it might be useful to suggest that the prefetcher,
>> if one exists, should perform priming.
>>
>
> Sounds reasonable:
> https://github.com/mikewest/hsts-priming/commit/75877a33528c0c3893d599dd5c26864db4538313
>
> That said, the concerns I've heard from folks to whom I've shopped this
> proposal have centered around load (especially in geographic regions that
> blackhole requests to port 443 in a way that fails slowly rather than
> quickly). I'd like to start with something small that won't have a
> seriously detrimental impact on load times.
>
> Also, selfishly, it's a lot easier to poke at subresource requests in
> Blink, as we can reuse much of the infrastructure that CORS preflights have
> paved. Navigations are harder, especially as the implementation is a bit in
> flux at the moment.
>
> -mike
>

Received on Friday, 6 November 2015 17:56:03 UTC