Sometimes there's HSTS with no HTTP
HTTPS redirect, sometimes the opposite. How hard is it to do both?
If Firefox's preload list works the same way it did three years ago, that means they aren't preloaded in Firefox and thus not HSTS there.
-
-
Does Firefox confirm via HTTPS that HSTS is no longer served?
-
Oh, that's how they did it! I knew the carveout was fragile, but never actually checked their code.
-
Maybe this can go away now? Wasn't it deprecated a long time ago & replaced twice? Would love to see telemetry for it. /cc
@mozkeeler -
Filed https://bugs.chromium.org/p/chromium/issues/detail?id=759864 … . Guess I didn't get around to filing a Firefox bug (probably won't until we know Chrome will remove it)
End of conversation
New conversation -
-
-
Correct, assuming the Firefox roller's last successful HTTPS connection to the site did not have a sufficient header.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
(There are 32 preloaded domains like that.)