<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    It's fine to remove an auto-generated HSTS rule, if:<br>
     - Its hosts are now fully covered in the HSTS preload list.<br>
     - The secure cookie rules are not necessary (e.g. the site secures
    all its cookies, *or* only sets cookies that are scoped exactly to
    the covered HSTS domain).<br>
    <br>
    <div class="moz-cite-prefix">On 05/24/2015 08:12 AM, <a class="moz-txt-link-abbreviated" href="mailto:sjw@gmx.ch">sjw@gmx.ch</a>
      wrote:<br>
    </div>
    <blockquote cite="mid:5561EA48.2010103@gmx.ch" type="cite">
      <pre wrap="">Hi

How do we handle auto generated HSTS rules?
<a class="moz-txt-link-freetext" href="https://github.com/EFForg/https-everywhere/blob/master/src/chrome/content/rules/Onlime.ch.xml">https://github.com/EFForg/https-everywhere/blob/master/src/chrome/content/rules/Onlime.ch.xml</a>
is only enabled on Firefox, but the rule is in Firefox' preload list
too:
<a class="moz-txt-link-freetext" href="https://dxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.inc#351">https://dxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.inc#351</a>

Should we delete such rules now or disable completely?

Regards
Jonas

</pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
HTTPS-Everywhere mailing list
<a class="moz-txt-link-abbreviated" href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a>
<a class="moz-txt-link-freetext" href="https://lists.eff.org/mailman/listinfo/https-everywhere">https://lists.eff.org/mailman/listinfo/https-everywhere</a></pre>
    </blockquote>
    <br>
  </body>
</html>