Quote:
Originally Posted by n5bb
Rob, could you come up with a system to force HSTS (ideally preloaded) for https: links to Fastmail file storage? Currently the user link becomes a subpath under https://user.fm/, and I don't think that any HSTS is used for that domain. See this EMD thread.
|
All HSTS does is force a browser to use the HTTPS variant when HTTP is requested. In the scenario described in the other case, the concern is over a user fiddling the URL to go to the domain version of the site, which doesn't have a HTTPS variant. HSTS wouldn't help there.
We could set up HSTS to force
http://user.fm/... to go to
https://user.fm/..., but I'd need to think about it a bit first and study the access logs to understand what the impacts might be. That's not a high priority for me right now.