<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - CSP: Account for HSTS when deciding whether to send the 'Upgrade-Insecure-Requests' Header"
href="https://bugs.webkit.org/show_bug.cgi?id=157885">157885</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>CSP: Account for HSTS when deciding whether to send the 'Upgrade-Insecure-Requests' Header
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>WebCore Misc.
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>bfulgham@webkit.org
</td>
</tr></table>
<p>
<div>
<pre>The 'Upgrade-Insecure-Requests' specification <<a href="https://w3c.github.io/webappsec/specs/upgrade/">https://w3c.github.io/webappsec/specs/upgrade/</a>> suggests an optimization to sending the header, limiting it to sites that are not known canonical HSTS targets.
We should implement this check and avoid adding the header when it is not needed.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>