- From: Jacob Hoffman-Andrews <jsha@eff.org>
- Date: Mon, 21 Sep 2015 10:53:32 -0700
- To: Richard Barnes <rbarnes@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
On 08/24/2015 08:02 AM, Richard Barnes wrote: > tl;dr: If we add priming requests for HSTS, we can allow HSTS-upgraded > reqeusts from HTTPS pages, and avoid the need for scheme changes. I like this idea a lot. One thing: in u-i-r, there is a notion that a site may work for UAs that implement u-i-r, but break due to MCB for UAs that do not. Sites will want to make a decision on whether to redirect HTTP visitors to HTTPS based on whether they support priming. So we probably need a header announcing support, similar to the one in u-i-r.
Received on Monday, 21 September 2015 17:54:02 UTC