W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: HSTS, mixed content, and priming

From: Jacob Hoffman-Andrews <jsha@eff.org>
Date: Mon, 21 Sep 2015 10:53:32 -0700
To: Richard Barnes <rbarnes@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <5600441C.6050306@eff.org>
On 08/24/2015 08:02 AM, Richard Barnes wrote:
> tl;dr: If we add priming requests for HSTS, we can allow HSTS-upgraded
> reqeusts from HTTPS pages, and avoid the need for scheme changes.
I like this idea a lot.

One thing: in u-i-r, there is a notion that a site may work for UAs that
implement u-i-r, but break due to MCB for UAs that do not. Sites will
want to make a decision on whether to redirect HTTP visitors to HTTPS
based on whether they support priming. So we probably need a header
announcing support, similar to the one in u-i-r.
Received on Monday, 21 September 2015 17:54:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC