[HTTPS-Everywhere] HSTS rules
Jacob Hoffman-Andrews
jsha at eff.org
Sun May 24 12:30:25 PDT 2015
It's fine to remove an auto-generated HSTS rule, if:
- Its hosts are now fully covered in the HSTS preload list.
- The secure cookie rules are not necessary (e.g. the site secures all
its cookies, *or* only sets cookies that are scoped exactly to the
covered HSTS domain).
On 05/24/2015 08:12 AM, sjw at gmx.ch wrote:
> Hi
>
> How do we handle auto generated HSTS rules?
> https://github.com/EFForg/https-everywhere/blob/master/src/chrome/content/rules/Onlime.ch.xml
> is only enabled on Firefox, but the rule is in Firefox' preload list
> too:
> https://dxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.inc#351
>
> Should we delete such rules now or disable completely?
>
> Regards
> Jonas
>
>
>
> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20150524/c08a37cc/attachment.html>
More information about the HTTPS-Everywhere
mailing list