On Fri, Sep 18, 2009 at 10:30 PM, Jonas Sicking <[email protected]> wrote: > I wonder for example if the client when receiving a > Strict-Transport-Security header should make a request to the root url > of the same origin to verify that the server indeed wants to opt in to > STS.
That's a good idea. Do you think we should do that for all instances of Strict-Transport-Security, or just for headers with the includeSubDomains directive? Adam
