[HTTPS-Everywhere] HSTS rules
Alexander Buchner
alexander.buchner at posteo.de
Wed Apr 27 13:53:04 PDT 2016
On 24.05.2015 21:30, Jacob Hoffman-Andrews wrote:
> It's fine to remove an auto-generated HSTS rule, if:
> - Its hosts are now fully covered in the HSTS preload list.
> - The secure cookie rules are not necessary (e.g. the site secures all
> its cookies, *or* only sets cookies that are scoped exactly to the
> covered HSTS domain).
Sorry for resurrecting this old thread.
Just one comment and/or question.
If a site is in the HSTS preload list, it has set the includeSubDomains
directive, since this is a requirement to get into the list.
So I understand that for sites where the browser has the HSTS flag with
includeSubdomains it shouldn't matter if the cookies have the secure
flag or not since there is no way for them to get sent over http, right?
So having rules for sites which are already on the HSTS preload list
seems to be unnecessary to me and we could/should delete them.
Please correct me if I'm wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20160427/69bbd617/attachment.sig>
More information about the HTTPS-Everywhere
mailing list