[HTTPS-Everywhere] HSTS rules
Jacob Hoffman-Andrews
jsha at eff.org
Wed Apr 27 14:24:24 PDT 2016
On 04/27/2016 01:53 PM, Alexander Buchner wrote:
> If a site is in the HSTS preload list, it has set the
> includeSubDomains directive, since this is a requirement to get into
> the list. So I understand that for sites where the browser has the
> HSTS flag with includeSubdomains it shouldn't matter if the cookies
> have the secure flag or not since there is no way for them to get sent
> over http, right? So having rules for sites which are already on the
> HSTS preload list seems to be unnecessary to me and we could/should
> delete them.
I agree. I wasn't aware of the includeSubDomains requirement to get on
the preload list when I wrote this message. I assume that applies to
both Chrome and FF?
Also, FWIW: We did a batch deletion last year of a large-ish number
(~200) of rulesets that were originally autogenerate from HSTS preload
lists. The remaining rulesets that overlap with HSTS should be
relatively few in absolute size, although there is still some value in
removing them, because if they have complex rewrites, those could cause
bugs.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20160427/ce9a7d73/attachment.sig>
More information about the HTTPS-Everywhere
mailing list