[Webkit-unassigned] [Bug 157885] New: CSP: Account for HSTS when deciding whether to send the 'Upgrade-Insecure-Requests' Header

Wed May 18 23:33:47 PDT 2016

https://bugs.webkit.org/show_bug.cgi?id=157885

            Bug ID: 157885
           Summary: CSP: Account for HSTS when deciding whether to send
                    the 'Upgrade-Insecure-Requests' Header
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bfulgham at webkit.org

The 'Upgrade-Insecure-Requests' specification <https://w3c.github.io/webappsec/specs/upgrade/> suggests an optimization to sending the header, limiting it to sites that are not known canonical HSTS targets.

We should implement this check and avoid adding the header when it is not needed.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160519/383f1b7a/attachment.html>