It's fine to remove an auto-generated HSTS rule, if: - Its hosts are now fully covered in the HSTS preload list. - The secure cookie rules are not necessary (e.g. the site secures all its cookies, *or* only sets cookies that are scoped exactly to the covered HSTS domain).
On 05/24/2015 08:12 AM, [email protected] wrote: > Hi > > How do we handle auto generated HSTS rules? > https://github.com/EFForg/https-everywhere/blob/master/src/chrome/content/rules/Onlime.ch.xml > is only enabled on Firefox, but the rule is in Firefox' preload list > too: > https://dxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.inc#351 > > Should we delete such rules now or disable completely? > > Regards > Jonas > > > > _______________________________________________ > HTTPS-Everywhere mailing list > [email protected] > https://lists.eff.org/mailman/listinfo/https-everywhere
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
