You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issues like #1025 should prompt us to reconsider whether using HSTS preloading from a server-side client (introduced via #151) is a sensible thing to do at all.
Crucially, from Try connecting to HTTPS on schemaless URLs #124 it seems that HSTS preloading was introduced as a way to tackle "schema-less URLs". As of today HTTPX requires a schema on URLs, so if it was the initial motivation then it is now irrelevant. Besides, we can assume that developers are generally very aware of their choices to use http:// vs https:// on the server-side (as opposed to browser users just entering the domain name without a schema).
Some options are:
Add a toggle so that HSTS preload becomes opt-in or opt-out.
Drop HSTS functionality entirely.
Given all the context points above, we might want to just go with option 2).
The text was updated successfully, but these errors were encountered:
Prompted by #1025 (comment)
Issues like #1025 should prompt us to reconsider whether using HSTS preloading from a server-side client (introduced via #151) is a sensible thing to do at all.
Key points of reasoning here:
http://
vshttps://
on the server-side (as opposed to browser users just entering the domain name without a schema).Some options are:
Given all the context points above, we might want to just go with option 2).
The text was updated successfully, but these errors were encountered: