Hi Rory, Sure, so my point is: If someone wants to encourage https adoption in the wider world, the OSM database is not the place to do it. Security mechanisms exist for website operators to implement if they so desire, and they may need help making the most appropriate decisions.
Cheers, Joseph On Tue, 26 Feb 2019 at 14:30, Rory McCann <r...@technomancy.org> wrote: > On 26/02/2019 14:45, Joseph Reeves wrote: > > As an aside, HSTS is interesting here because the website operator is > > saying "only use this domain over https", but at that point, we don't > > need to make changes to the database because the web client should be > > aware of the HSTS preload list; the protocol listed in the referrer > > is not relevant. > > I don't think we can rely totally on HSTS. I'm sure not all sites are on > HSTS preload lists. I think OSM has more "website=http://*" tags (965k)¹ > than Firefox² & Chrome³ have in their HSTS preload lists... > > [1] https://taginfo.openstreetmap.org/keys/website#values > > [2] > > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security > > https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc > > [3] > https://www.chromium.org/hsts > > https://cs.chromium.org/codesearch/f/chromium/src/net/http/transport_security_state_static.json?cl=5b2537d89ea5994d27bba5735961b0be1095c54c >
_______________________________________________ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk