James, I’m not following you. Can you expand on what changes you assume the bot will be making, and what the “horribly wrong” event as a result of said changes? I think you’re leaving out a piece of the puzzle and I’m not sure what it is.
Thanks. On Tue, Feb 26, 2019 at 6:46 AM James <james2...@gmail.com> wrote: > I can give an example of this going horribly wrong: > > http://www.osmcanada.ca redirects to https://www.osmcanada.ca > > but I specifically disabled https on http://tasks.osmcanada.ca (hosted on > same server) because josm doesnt play nice with https task manager > > Web admins will redirect their traffic if it needs to be. We shouldn't > force https, worst case port 80 will redirect to 443 via http header. > Semi-worst case they have HSTS header that tells browser to connect to 443 > until xyz(far in future) and best case web admin registered on hsts preload > list, so modern browsers will do their job. > > On Tue., Feb. 26, 2019, 9:39 a.m. Bryce Jasmer, <br...@jasmer.com> wrote: > >> The HSTS discussion is completely orthogonal to what the stated goal is >> and any further discussion on it is really just muddying the waters. HSTS >> comes into play after the user is already visiting over https. >> >> If I’m mistaken, please help me understand. >> >> On Tue, Feb 26, 2019 at 6:30 AM Rory McCann <r...@technomancy.org> wrote: >> >>> On 26/02/2019 14:45, Joseph Reeves wrote: >>> > As an aside, HSTS is interesting here because the website operator is >>> > saying "only use this domain over https", but at that point, we don't >>> > need to make changes to the database because the web client should be >>> > aware of the HSTS preload list; the protocol listed in the referrer >>> > is not relevant. >>> >>> I don't think we can rely totally on HSTS. I'm sure not all sites are on >>> HSTS preload lists. I think OSM has more "website=http://*"; tags >>> (965k)¹ >>> than Firefox² & Chrome³ have in their HSTS preload lists... >>> >>> [1] https://taginfo.openstreetmap.org/keys/website#values >>> >>> [2] >>> >>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security >>> >>> https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc >>> >>> [3] >>> https://www.chromium.org/hsts >>> >>> https://cs.chromium.org/codesearch/f/chromium/src/net/http/transport_security_state_static.json?cl=5b2537d89ea5994d27bba5735961b0be1095c54c >>> >>> _______________________________________________ >>> talk mailing list >>> talk@openstreetmap.org >>> https://lists.openstreetmap.org/listinfo/talk >>> >> _______________________________________________ >> talk mailing list >> talk@openstreetmap.org >> https://lists.openstreetmap.org/listinfo/talk >> >
_______________________________________________ talk mailing list talk@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk
