On 2017-10-23 14:48, [email protected] wrote: > Does that mean the browser never tries to access port 80? > This would make no sense. I suppose it would make sense if the > browser queried the target domain first, but what difference would > that make? What's the difference between a browser trying to access > port 80 but being redirected to port 443 and the browser asking the > target domain if it serves port 80?
That's the whole promise of HSTS. The first time the web-browser connects to the site, it would include the HSTS header which asserts "From now until $DATE, I promise will never ever ask for any resource over HTTP(non-S), so if you see an insecure HTTP URL, it's wrong." I don't remember the details of whether the browser is supposed to automatically upgrade HTTP links to HTTPS or whether it should/can be treated as an error condition. When developing a site, you might set the valid-until-$DATE to really short in case you break something with your certificates; then once you have things working, set it for a nice long time-frame as an assertion that you only communicate over encrypted connections. -tim _______________________________________________ Lynx-dev mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/lynx-dev
