On Monday 23 May 2016 23:59:45 Ander Juaristi wrote: > Hi, > > I would leave it unchanged. For me this is a WONTFIX, for the following > reasons: > > 1. The message is only printed when debug output (-d) is enabled. That > is disabled by default. Any user who enables it is expected to be wise > enough to know how to interpret the output, or at least treat it with care. > 2. Solving this would require checking whether the scheme is 'ftp://' > and in the case of HTTP(S), further checking whether the > Strict-Transport-Security header was set (in the case of HTTPS), or we > were redirected to the HTTPS entry point of the site and that entry > point sets it. This adds extra unnecessary complexity for the single > reason of hiding an output that only appears in debug mode. IMO it does > not pay off. > 3. The HSTS file is read at the beginning, and written at the end. That > is the best way of doing it, and the way other UAs work. A simpler > solution than that proposed at point 2 would require putting the HSTS > load/save routines in other place, maybe checking them on a per-URL > basis. This also does not pay off IMO. > > The best 'fix' that comes to my mind is a compromise. Don't remove the > message (for the reasons mentioned), but print how many HSTS entries > have been read/updated/written. Something like: > > Saving HSTS entries to /home/strunk/.wget-hsts (read: 1, updated: 0) > > I would do either this or nothing. Tell me if this is acceptable.
Hi Ander, IMO, another possibility is to add a flag to 'struct hsts_store' that indicates any change made. hsts_store_save() could be skipped if that flag is not set. At the same time the debug info has to be moved from main.c/save_hsts() to hsts.c/hsts_store_save() OR hsts.c needs another function to return the value of the flag, so that save_hsts() could check it. WDYT ? Tim
signature.asc
Description: This is a digitally signed message part.
