[OSM-talk] HTTPS all the Things (Automated Edit)
Rory McCann
rory at technomancy.org
Tue Feb 26 14:29:58 UTC 2019
On 26/02/2019 14:45, Joseph Reeves wrote:
> As an aside, HSTS is interesting here because the website operator is
> saying "only use this domain over https", but at that point, we don't
> need to make changes to the database because the web client should be
> aware of the HSTS preload list; the protocol listed in the referrer
> is not relevant.
I don't think we can rely totally on HSTS. I'm sure not all sites are on
HSTS preload lists. I think OSM has more "website=http://*" tags (965k)¹
than Firefox² & Chrome³ have in their HSTS preload lists...
[1] https://taginfo.openstreetmap.org/keys/website#values
[2]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc
[3]
https://www.chromium.org/hsts
https://cs.chromium.org/codesearch/f/chromium/src/net/http/transport_security_state_static.json?cl=5b2537d89ea5994d27bba5735961b0be1095c54c
More information about the talk
mailing list