This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 27909 - "If request's url contains a Known HSTS Host, mo..."
Summary: "If request's url contains a Known HSTS Host, mo..."
Status: RESOLVED FIXED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: Fetch (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal
Target Milestone: Unsorted
Assignee: Anne
QA Contact: sideshowbarker+fetchspec
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-27 15:50 UTC by Mike West
Modified: 2015-01-27 17:34 UTC (History)
1 user (show)

See Also:


Attachments

Description Mike West 2015-01-27 15:50:17 UTC
https://fetch.spec.whatwg.org/#fetching

[[
If request's url contains a Known HSTS Host, modify it per the requirements of the "URI [sic] Loading and Port Mapping" chapter of HTTP Strict Transport Security. [HSTS]
]]

HSTS happens after mixed content (and CSP) checks in WebKit, Blink, and Gecko. Fetch should de jureize this de facto standard.
Comment 1 Anne 2015-01-27 17:34:46 UTC
Thanks! Per IM discussion I placed HSTS after Referrer.

https://github.com/whatwg/fetch/commit/b8c2c4964c233cd3616042c04e2c14e0ff25485d