
<div><div dir="auto">The HSTS discussion is completely orthogonal to what the stated goal is and any further discussion on it is really just muddying the waters. HSTS comes into play after the user is already visiting over https. </div></div><div dir="auto"><br></div><div dir="auto">If I’m mistaken, please help me understand. </div><div><br><div class="gmail_quote"><div dir="ltr">On Tue, Feb 26, 2019 at 6:30 AM Rory McCann <<a href="mailto:rory@technomancy.org">rory@technomancy.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 26/02/2019 14:45, Joseph Reeves wrote:<br>

> As an aside, HSTS is interesting here because the website operator is<br>

> saying "only use this domain over https", but at that point, we don't<br>

> need to make changes to the database because the web client should be<br>

> aware of the HSTS preload list; the protocol listed in the referrer<br>

> is not relevant.<br>

<br>

I don't think we can rely totally on HSTS. I'm sure not all sites are on <br>

HSTS preload lists. I think OSM has more "website=http://*" tags (965k)¹ <br>

than Firefox² & Chrome³ have in their HSTS preload lists...<br>

<br>

[1] <a href="https://taginfo.openstreetmap.org/keys/website#values" rel="noreferrer" target="_blank">https://taginfo.openstreetmap.org/keys/website#values</a><br>

<br>

[2]<br>

<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security" rel="noreferrer" target="_blank">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security</a><br>

<a href="https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc" rel="noreferrer" target="_blank">https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc</a><br>

<br>

[3]<br>

<a href="https://www.chromium.org/hsts" rel="noreferrer" target="_blank">https://www.chromium.org/hsts</a><br>

<a href="https://cs.chromium.org/codesearch/f/chromium/src/net/http/transport_security_state_static.json?cl=5b2537d89ea5994d27bba5735961b0be1095c54c" rel="noreferrer" target="_blank">https://cs.chromium.org/codesearch/f/chromium/src/net/http/transport_security_state_static.json?cl=5b2537d89ea5994d27bba5735961b0be1095c54c</a><br>

<br>

_______________________________________________<br>

talk mailing list<br>

<a href="mailto:talk@openstreetmap.org" target="_blank">talk@openstreetmap.org</a><br>

<a href="https://lists.openstreetmap.org/listinfo/talk" rel="noreferrer" target="_blank">https://lists.openstreetmap.org/listinfo/talk</a><br>

</blockquote></div></div>