W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: HSTS priming vs preloading

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 2 Feb 2016 14:54:13 +0100
Message-ID: <CADnb78jxcB1zgci3z9zz8iqa69Yr55gjMnfwGdd-mHiPYHnrcg@mail.gmail.com>
To: Richard Barnes <rbarnes@mozilla.com>
Cc: Eric Mill <eric@konklone.com>, Ben Wilson <ben.wilson@digicert.com>, Jim Manico <jim.manico@owasp.org>, Mike West <mkwst@google.com>, Jim Manico <jim@manicode.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Feb 2, 2016 at 2:41 PM, Richard Barnes <rbarnes@mozilla.com> wrote:
> That's part of why priming is nice -- it gives you the determinism of
> preloading, while letting you trade an RTT for not preloading.

Yeah. The main problem with priming is that it gives an attacker a
chance so it's not a complete alternative and less than ideal when you
consider navigations as well rather than just mixed content. (It's a
step up from where we are today, for sure.) And an alternative where a
browser hosts the preload table would give the browser insight where
the user is going (and perhaps slow things down unacceptably). Meh.

Received on Tuesday, 2 February 2016 13:54:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC