On Mon, Jan 18, 2016 at 7:11 AM, Mike West <mkwst@google.com> wrote: > On Mon, Jan 18, 2016 at 1:05 PM, Jim Manico <jim@manicode.com> wrote: > >> Forgive this indulgence, but does HSTS preloading have the same benefits >> of HSTS priming since preloaded HSTS would occur before the mixed content >> check? >> > > Yes. Basically, we'd only do a priming ping if the origin being requested > wasn't already marked as HSTSized in the user's local browser. The fact > that we _would_ do a priming ping for non-secure origins that aren't in the > local browser's HSTS list ensures that we can do the upgrade without > breakage. > > Feel free to answer on list if you prefer. >> > > CCing the list just so other folks with the same question can weigh in. :) > Thanks :) I would just add that preloading still offers slightly better security than priming: If you don't preload, then an active network attacker can still prevent browsers from getting the HSTS signal by stripping the header. >From the perspective of fixing mixed content, though, they should be the same. --RichardReceived on Monday, 18 January 2016 15:33:27 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC