On 26/02/2019 14:45, Joseph Reeves wrote:
As an aside, HSTS is interesting here because the website operator is saying "only use this domain over https", but at that point, we don't need to make changes to the database because the web client should be aware of the HSTS preload list; the protocol listed in the referrer is not relevant.
I don't think we can rely totally on HSTS. I'm sure not all sites are on HSTS preload lists. I think OSM has more "website=http://*"; tags (965k)¹ than Firefox² & Chrome³ have in their HSTS preload lists...
[1] https://taginfo.openstreetmap.org/keys/website#values [2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc [3] https://www.chromium.org/hsts https://cs.chromium.org/codesearch/f/chromium/src/net/http/transport_security_state_static.json?cl=5b2537d89ea5994d27bba5735961b0be1095c54c _______________________________________________ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
