Am 19.03.2018 um 22:15 schrieb Willy Tarreau:
> Looks like it indeed. By then there was no "http-request" ruleset
> either. Maybe we could move it to a place where it's generated
> earlier, or maybe we could ensure that it's computed on the fly
> when the associated sample fetch function is called for %ID (I
> didn't remember it was available like this).

Is there some specific place I should file this "bug" report or is my
email sufficient for you to keep track of?

>> Here's two more that came into my mind:
>> - Expect-CT
>> - Public-Key-Pins (a.k.a. HPKP)
>> Both are deeply related to HSTS due do being TLS security headers. The
>> latter is being deprecated by the browsers, because of footgun issues,
>> though. The former is fairly new.
> Yes it's still a draft (unless I missed the announce).

Expect-CT technically still is a draft [1], but it is implemented since
Google Chrome 61 [2]. Personally I know that Cloudflare already is
setting that header on their responses.

HPKP is deprecated in Google Chrome and header processing will be
removed for Chrome 67 (which is due in May).

Best regards
Tim Düsterhus

[1] https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02
[2] https://www.chromestatus.com/feature/5677171733430272

Reply via email to