<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
It's fine to remove an auto-generated HSTS rule, if:<br>
- Its hosts are now fully covered in the HSTS preload list.<br>
- The secure cookie rules are not necessary (e.g. the site secures
all its cookies, *or* only sets cookies that are scoped exactly to
the covered HSTS domain).<br>
<br>
<div class="moz-cite-prefix">On 05/24/2015 08:12 AM, <a class="moz-txt-link-abbreviated" href="mailto:sjw@gmx.ch">sjw@gmx.ch</a>
wrote:<br>
</div>
<blockquote cite="mid:5561EA48.2010103@gmx.ch" type="cite">
<pre wrap="">Hi
How do we handle auto generated HSTS rules?
<a class="moz-txt-link-freetext" href="https://github.com/EFForg/https-everywhere/blob/master/src/chrome/content/rules/Onlime.ch.xml">https://github.com/EFForg/https-everywhere/blob/master/src/chrome/content/rules/Onlime.ch.xml</a>
is only enabled on Firefox, but the rule is in Firefox' preload list
too:
<a class="moz-txt-link-freetext" href="https://dxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.inc#351">https://dxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPreloadList.inc#351</a>
Should we delete such rules now or disable completely?
Regards
Jonas
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
HTTPS-Everywhere mailing list
<a class="moz-txt-link-abbreviated" href="mailto:HTTPS-Everywhere@lists.eff.org">HTTPS-Everywhere@lists.eff.org</a>
<a class="moz-txt-link-freetext" href="https://lists.eff.org/mailman/listinfo/https-everywhere">https://lists.eff.org/mailman/listinfo/https-everywhere</a></pre>
</blockquote>
<br>
</body>
</html>