On Tue, Aug 21, 2012 at 2:30 PM, Brian Smith <[email protected]> wrote: > Adam Barth wrote: >> > FWIW, in Firefox we are also going to honor max-age=0 as a >> > mechanism to disable the entries in our pre-loaded HSTS list that >> > will ship in the browser. >> >> How long do you plan to cache the disable? > > Initially: until we receive an HSTS header with max-age > 0 for the site, or > until the user clears the dynamic HSTS database in a way that removes the > dynamic HSTS information (e.g. by using "Clear Recent History"), to reset > back to the "as shipped" state.
Interesting. I wonder if that's something Chrome should do as well. Let me ask agl for his thoughts. Thanks, Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
