- From: Jose Kahan <jose.kahan@w3.org>
- Date: Mon, 21 Sep 2015 12:28:55 +0200
- To: Mike West <mkwst@google.com>
- Cc: Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Mike, We are in the process in deploying the hsts/https config from www-test to our production servers. However, we got a snatch that wasn't detected during our tests: the latest released firefox (40.0.3) doesn't seem to apply the hsts rule before checking for mixed-content warning. Today we had a news item with an absolute HTTP link to an image and this revelead it. Firefox will also complain if there are absolute http links to CSS files. There is already a report for this issue and it is still open: https://bugzilla.mozilla.org/show_bug.cgi?id=838395 In view of this, if there is no immediate solution we could apply, we're going to have to roll-back the deployment and wait until it is fixed. Any suggestions before we do this will be welcome. Thanks, -jose On Mon, Sep 14, 2015 at 03:02:21PM +0200, Mike West wrote: > > Ping. :) How have the tests been going over the last ~2 months? Any update > on this work?
Received on Monday, 21 September 2015 10:29:07 UTC