This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
https://fetch.spec.whatwg.org/#fetching [[ If request's url contains a Known HSTS Host, modify it per the requirements of the "URI [sic] Loading and Port Mapping" chapter of HTTP Strict Transport Security. [HSTS] ]] HSTS happens after mixed content (and CSP) checks in WebKit, Blink, and Gecko. Fetch should de jureize this de facto standard.
Thanks! Per IM discussion I placed HSTS after Referrer. https://github.com/whatwg/fetch/commit/b8c2c4964c233cd3616042c04e2c14e0ff25485d