W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: HSTS priming vs preloading

From: Mike West <mkwst@google.com>
Date: Mon, 18 Jan 2016 13:11:39 +0100
Message-ID: <CAKXHy=fnbyajyMsFFSvqVukmwOsYccE5vhcoV-xtiYQMe9BkjA@mail.gmail.com>
To: Jim Manico <jim@manicode.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jan 18, 2016 at 1:05 PM, Jim Manico <jim@manicode.com> wrote:

> Forgive this indulgence, but does HSTS preloading have the same benefits
> of HSTS priming since preloaded HSTS would occur before the mixed content
> check?
>

Yes. Basically, we'd only do a priming ping if the origin being requested
wasn't already marked as HSTSized in the user's local browser. The fact
that we _would_ do a priming ping for non-secure origins that aren't in the
local browser's HSTS list ensures that we can do the upgrade without
breakage.

Feel free to answer on list if you prefer.
>

CCing the list just so other folks with the same question can weigh in. :)

-mike
Received on Monday, 18 January 2016 12:12:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC