27909 – "If request's url contains a Known HSTS Host, mo..."

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 27909 - "If request's url contains a Known HSTS Host, mo..."

Summary: "If request's url contains a Known HSTS Host, mo..."

Status:	RESOLVED FIXED

Alias:	None

Product:	WHATWG
Classification:	Unclassified
Component:	Fetch (show other bugs)
Version:	unspecified
Hardware:	PC All

Importance:	P2 normal
Target Milestone:	Unsorted
Assignee:	Anne
QA Contact:	sideshowbarker+fetchspec

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-01-27 15:50 UTC by Mike West
Modified:	2015-01-27 17:34 UTC (History)
CC List:	1 user (show)

See Also:

Attachments

Description Mike West 2015-01-27 15:50:17 UTC

https://fetch.spec.whatwg.org/#fetching

[[
If request's url contains a Known HSTS Host, modify it per the requirements of the "URI [sic] Loading and Port Mapping" chapter of HTTP Strict Transport Security. [HSTS]
]]

HSTS happens after mixed content (and CSP) checks in WebKit, Blink, and Gecko. Fetch should de jureize this de facto standard.

Comment 1 Anne 2015-01-27 17:34:46 UTC

Thanks! Per IM discussion I placed HSTS after Referrer.

https://github.com/whatwg/fetch/commit/b8c2c4964c233cd3616042c04e2c14e0ff25485d