On Thu, 31 Aug 2017 15:36:03 +0200 Hiltjo Posthuma <hil...@codemadness.org> wrote:
Dear Hiltjo, > There is no issue (anymore) because I fixed the main template. > An example is the logo.svg had a direct http:// link. This gives a > "mixed content" warning in your browser. A MITM can abuse plain-text > traffic, this is not possible by specifying a HSTS header. Ofcourse > the person has to first make a single HTTPS request with the HSTS > header set. After that it works (until the expiration date, which is > set to 1 year atm). what makes me wonder is why the HSTS-spec tells conformant clients to ignore the STS-header in the context of a HTTP connection, given this would be a perfect way to implement an "offering" of a TLS-connection to a browser. Clients who do not wish to connect via HTTPS but HTTP can just ignore the STS-header, but browsers who can could expose a configuration setting for the user to determine how to behave when being confronted with a HSTS-header in an HTTP-context. This would completely rid us from the need for extensions like "HTTPS Everywhere" and we would still keep HTTPS optional. With best regards Laslo Hunhold -- Laslo Hunhold <d...@frign.de>
