https://bugzilla.wikimedia.org/show_bug.cgi?id=38516
--- Comment #10 from Ryan Lane <[email protected]> --- (In reply to comment #9) > Note that you can disable HSTS at any point by sending the header with an > expiry that already expired (similar to how it's done with cookies). This is > what Extension:SecureSessions does to implement HSTS in MediaWiki, and as > long > as Squid/Varnish allows MediaWiki to override the HSTS header it sends > somehow, > it should still be possible even with an HTML cache. Let's assume we need to turn off HSTS for a really great reason, like a country being blocked on HTTPS. How would those users get the expired header if they can't reach the site? -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
