On Thu, 31 Aug 2017 15:36:03 +0200
Hiltjo Posthuma <hiltjo_AT_codemadness.org> wrote:
Dear Hiltjo,
> There is no issue (anymore) because I fixed the main template.
> An example is the logo.svg had a direct http:// link. This gives a
> "mixed content" warning in your browser. A MITM can abuse plain-text
> traffic, this is not possible by specifying a HSTS header. Ofcourse
> the person has to first make a single HTTPS request with the HSTS
> header set. After that it works (until the expiration date, which is
> set to 1 year atm).
what makes me wonder is why the HSTS-spec tells conformant clients to
ignore the STS-header in the context of a HTTP connection, given this
would be a perfect way to implement an "offering" of a TLS-connection
to a browser.
Clients who do not wish to connect via HTTPS but HTTP can just ignore
the STS-header, but browsers who can could expose a configuration
setting for the user to determine how to behave when being confronted
with a HSTS-header in an HTTP-context.
This would completely rid us from the need for extensions like "HTTPS
Everywhere" and we would still keep HTTPS optional.
With best regards
Laslo Hunhold
--
Laslo Hunhold <dev_AT_frign.de>
Received on Thu Aug 31 2017 - 15:57:15 CEST