Re: HSTS priming vs preloading from Richard Barnes on 2016-01-18 (public-webappsec@w3.org from January 2016)

From: Richard Barnes <rbarnes@mozilla.com>
Date: Mon, 18 Jan 2016 10:32:58 -0500
To: Mike West <mkwst@google.com>
Cc: Jim Manico <jim@manicode.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOAcki9RxTmCMpAOE2yoXT5_XGVNV2aRp30_8LskbwYxrKnWAQ@mail.gmail.com>

On Mon, Jan 18, 2016 at 7:11 AM, Mike West <mkwst@google.com> wrote:

> On Mon, Jan 18, 2016 at 1:05 PM, Jim Manico <jim@manicode.com> wrote:
>
>> Forgive this indulgence, but does HSTS preloading have the same benefits
>> of HSTS priming since preloaded HSTS would occur before the mixed content
>> check?
>>
>
> Yes. Basically, we'd only do a priming ping if the origin being requested
> wasn't already marked as HSTSized in the user's local browser. The fact
> that we _would_ do a priming ping for non-secure origins that aren't in the
> local browser's HSTS list ensures that we can do the upgrade without
> breakage.
>
> Feel free to answer on list if you prefer.
>>
>
> CCing the list just so other folks with the same question can weigh in. :)
>

Thanks :)

I would just add that preloading still offers slightly better security than
priming: If you don't preload, then an active network attacker can still
prevent browsers from getting the HSTS signal by stripping the header.

>From the perspective of fixing mixed content, though, they should be the
same.

--Richard

Received on Monday, 18 January 2016 15:33:27 UTC