Re: HSTS priming vs preloading from Mike West on 2016-01-18 (public-webappsec@w3.org from January 2016)

From: Mike West <mkwst@google.com>
Date: Mon, 18 Jan 2016 13:11:39 +0100
To: Jim Manico <jim@manicode.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=fnbyajyMsFFSvqVukmwOsYccE5vhcoV-xtiYQMe9BkjA@mail.gmail.com>

On Mon, Jan 18, 2016 at 1:05 PM, Jim Manico <jim@manicode.com> wrote:

> Forgive this indulgence, but does HSTS preloading have the same benefits
> of HSTS priming since preloaded HSTS would occur before the mixed content
> check?
>

Yes. Basically, we'd only do a priming ping if the origin being requested
wasn't already marked as HSTSized in the user's local browser. The fact
that we _would_ do a priming ping for non-secure origins that aren't in the
local browser's HSTS list ensures that we can do the upgrade without
breakage.

Feel free to answer on list if you prefer.
>

CCing the list just so other folks with the same question can weigh in. :)

-mike

Received on Monday, 18 January 2016 12:12:30 UTC