- From: Eric Mill <eric@konklone.com>
- Date: Mon, 18 Jan 2016 15:11:29 -0500
- To: Mike West <mkwst@google.com>
- Cc: Jim Manico <jim@manicode.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Monday, 18 January 2016 20:12:39 UTC
On Mon, Jan 18, 2016 at 7:11 AM, Mike West <mkwst@google.com> wrote: > On Mon, Jan 18, 2016 at 1:05 PM, Jim Manico <jim@manicode.com> wrote: > >> Forgive this indulgence, but does HSTS preloading have the same benefits >> of HSTS priming since preloaded HSTS would occur before the mixed content >> check? >> > > Yes. Basically, we'd only do a priming ping if the origin being requested > wasn't already marked as HSTSized in the user's local browser. The fact > that we _would_ do a priming ping for non-secure origins that aren't in the > local browser's HSTS list ensures that we can do the upgrade without > breakage. > I may be remembering wrong, but I didn't think HSTS alone (preloaded or dynamic) would resolve mixed content issues. The stated concern with allowing HSTS to affect mixed-content rendering is that it would create different experiences per-user/session, and preloading does mitigate this concern, but I didn't think there was an actual code path in Chrome (or other browsers) where it decides to allow HSTS to override mixed content if the HSTS policy was preloaded. -- Eric
Received on Monday, 18 January 2016 20:12:39 UTC