The cookies etc. should be SSL only. Particular pages enforced, sure. Enforcing TLS with HSTS sitewide means that users with failed bios/laptop batteries have to know to reset their clock or get used to bypassing SSL warnings or use out of date browsers to access sites. A fairly common problem, not good. Think real world, please. This hurts the most vulnerable.
Another solution may be to remove the cert is not valid YET restriction but that is a can of worms. Thankyou _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
