> On Sep 4, 2017, at 11:20, David Golden <x...@xdg.me> wrote: > > Are those "OR" conditions? "*.html" OR not in /authors/, etc/?
Yeah, that was the idea. Basically make “things a web browser typically visits” have forced TLS (because humans), but have it be optional for things computers typically use. Hopefully that’d encourage use of TLS without breaking too many old tools/systems. > Among things that should allow non-TLS: I would include /src/. Also the > top-level RECENT files, things in /indices/. +1. Maybe it makes more sense to reverse the logic and just targeting whatever the most popular[1] web pages for browsers and count on HSTS having the browsers sort it out; basically an expanded version of what we did now with just the home page. Ask [1] Not that we have logs, but we could figure out to collect those for a little while.