On Tue, Feb 17, 2015 at 2:43 PM, Bjoern Hoehrmann <derhoe...@gmx.net> wrote:
> * Anne van Kesteren wrote: > >On Tue, Feb 17, 2015 at 8:18 PM, Bjoern Hoehrmann <derhoe...@gmx.net> > wrote: > >> Individual resources should not be able to declare policy for the whole > >> server, ... > > > >With HSTS we gave up on that. > > FWIW, this dynamic is why you can't set HSTS on an S3 bucket (or a CloudFront distribution backed by an S3 bucket). Amazon isn't willing to let you set a HSTS header for a file that might also be served at s3.amazonaws.com. And so any website backed by S3, even if you never use the s3.amazonaws.com URLs, is restricted from setting HSTS headers. -- Eric -- konklone.com | @konklone <https://twitter.com/konklone>