On Mon, Oct 10, 2016 at 11:12:00AM +0000, Michal Grochmal wrote: > As far as I am aware, that is the philosophy of the FSF: always give the > user the choice, do not limit the user in anyway. Even more if we are > limiting the user because of security reasons. > > Although I would in several occasions perform the HTTP->HTTPS redirect > because it is a consensus of the information security community and > because I want to protect unknowing users, I'm completely against this > being implemented by the FSF. This is because it goes against the FSF > philosophy of empowering the user.
If permanent redirects are not okay in your opinion, do you have an opinion on Upgrade-Insecure-Requests? It relies on the user explicitly requesting to use "secure" requests only (HTTPS), but some browsers (e.g. Chromium) do this by default. See my previous message on this list for further explanation. [1] [1]: https://lists.gnu.org/archive/html/repo-criteria-discuss/2016-10/msg00005.html
