Sometimes there's HSTS with no HTTP
HTTPS redirect, sometimes the opposite. How hard is it to do both?
-
-
They met the requirements once upon a time, I think.
-
If Firefox's preload list works the same way it did three years ago, that means they aren't preloaded in Firefox and thus not HSTS there.
-
Does Firefox confirm via HTTPS that HSTS is no longer served?
-
Oh, that's how they did it! I knew the carveout was fragile, but never actually checked their code.
-
Maybe this can go away now? Wasn't it deprecated a long time ago & replaced twice? Would love to see telemetry for it. /cc
@mozkeeler -
Filed https://bugs.chromium.org/p/chromium/issues/detail?id=759864 … . Guess I didn't get around to filing a Firefox bug (probably won't until we know Chrome will remove it)
End of conversation
New conversation -
-
-
We have never pruned a domain without authenticated information. HTTP responses are unauthenticated.

-
We *intend* to prune sites that respond over HTTPS don't send HSTS, but the list is growing too fast rn to justify time on pruning infra.
- End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
(There are 32 preloaded domains like that.)
