> Existence of "I am testing HSTS" directive would > allow browsers to present debug information on HSTS succeeding/failing > in some form (browser logs, additional debug frame, etc.)
This "report-only"/"testing" mode notion came up in WG discussion in Paris, inspired in part on the "report-only" functionality in the Content Security Policy spec.
The way CSP handles signaling "report-only" is via a separate header field ("Content-Security-Policy-Report-Only"), rather than as a directive.
Given that HSTS as presently specified is implemented in several browsers (Chrome, Firefox, Opera12beta), and deployed by a number of sites, we suggest finishing up the HSTS spec as is.
Then, if there's interest and energy to define a "report-only"/"testing" mode, a fairly simple follow-on spec could be written leveraging the original HSTS spec and defining just what's needed for this.
=JeffH _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
