W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: HSTS priming vs preloading

From: Mike West <mkwst@google.com>
Date: Mon, 18 Jan 2016 13:11:39 +0100
Message-ID: <CAKXHy=fnbyajyMsFFSvqVukmwOsYccE5vhcoV-xtiYQMe9BkjA@mail.gmail.com>
To: Jim Manico <jim@manicode.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jan 18, 2016 at 1:05 PM, Jim Manico <jim@manicode.com> wrote:

> Forgive this indulgence, but does HSTS preloading have the same benefits
> of HSTS priming since preloaded HSTS would occur before the mixed content
> check?

Yes. Basically, we'd only do a priming ping if the origin being requested
wasn't already marked as HSTSized in the user's local browser. The fact
that we _would_ do a priming ping for non-secure origins that aren't in the
local browser's HSTS list ensures that we can do the upgrade without

Feel free to answer on list if you prefer.

CCing the list just so other folks with the same question can weigh in. :)

Received on Monday, 18 January 2016 12:12:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC