On 11/13/12 12:19 PM, Kevin Chadwick wrote:
I presume HSTS will have an about:config disable option as otherwise it will really annoy users and may threaten HSTS's existence for the many with dead laptop and dead bios batteries, such as a mate of mine. Perhaps requiring the master password to be set to disable HSTS in order to prevent violating the RFC.
There's a pref to disable the preload list ("network.stricttransportsecurity.preloadlist") and you can remove individual sites from the list in theory. In practice there's no UI yet on the permissions tab (on page info or about:permissions) so you need to use the ForceTLS addon at the moment.
-Dan Veditz _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
