W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: HSTS priming vs preloading

From: Eric Mill <eric@konklone.com>
Date: Mon, 18 Jan 2016 15:11:29 -0500
Message-ID: <CANBOYLV1Wn_eQWQ_SHXtahz_xE=k=QOADPuXKfyQbpGfzgtrfw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Jim Manico <jim@manicode.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jan 18, 2016 at 7:11 AM, Mike West <mkwst@google.com> wrote:

> On Mon, Jan 18, 2016 at 1:05 PM, Jim Manico <jim@manicode.com> wrote:
>
>> Forgive this indulgence, but does HSTS preloading have the same benefits
>> of HSTS priming since preloaded HSTS would occur before the mixed content
>> check?
>>
>
> Yes. Basically, we'd only do a priming ping if the origin being requested
> wasn't already marked as HSTSized in the user's local browser. The fact
> that we _would_ do a priming ping for non-secure origins that aren't in the
> local browser's HSTS list ensures that we can do the upgrade without
> breakage.
>

I may be remembering wrong, but I didn't think HSTS alone (preloaded or
dynamic) would resolve mixed content issues.

The stated concern with allowing HSTS to affect mixed-content rendering is
that it would create different experiences per-user/session, and preloading
does mitigate this concern, but I didn't think there was an actual code
path in Chrome (or other browsers) where it decides to allow HSTS to
override mixed content if the HSTS policy was preloaded.

-- Eric
Received on Monday, 18 January 2016 20:12:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC