So what is the reason to use HSTS over a server initiated redirect? Seems to me the latter would provide greater security whereas the former is easy to bypass.
Original Message From: Henri Sivonen Sent: Monday, September 22, 2014 7:56 AM On Wed, Sep 17, 2014 at 6:20 PM, Richard Barnes <rbar...@mozilla.com> wrote: > There are a bunch of security features right now that I think we all agree > improve security over and above just using HTTPS: > -- HTTP Strict Transport Security Yes, but I think this requirement shouldn't apply to subresources for the page to qualify, since top-level HSTS together with the "No mixed content" requirement mean that there's no sslstrip risk for embedded resources even if they are served from a non-HSTS CDN. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
