Re: [websec] "This site is testing HSTS" directive (was Issue #41 add parameter indicating whether to hardfail or not)

=JeffH <> Fri, 29 June 2012 20:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8B88C11E8080 for <>; Fri, 29 Jun 2012 13:56:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -100.995
X-Spam-Status: No, score=-100.995 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LXDpNmvNQWks for <>; Fri, 29 Jun 2012 13:56:13 -0700 (PDT)
Received: from ( [IPv6:2605:dc00:100:2::a5]) by (Postfix) with SMTP id D670A11E807F for <>; Fri, 29 Jun 2012 13:56:12 -0700 (PDT)
Received: (qmail 7271 invoked by uid 0); 29 Jun 2012 20:56:12 -0000
Received: from unknown (HELO ( by with SMTP; 29 Jun 2012 20:56:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=T73RvSP1Stxv430SLojW80+bbg1BLoZgzDMFjM4s+GQ=; b=7cLC7GsFDLFUNQLAWc2vsqPvHIjjwlK5bo93NVOwLnz7f2M3diUPp2HL4I8dfDwdA+s5z5aOo8ZAJprqm2l6FGdY2YurnVCA8m0j0rszAE4n5NQoPAMCk+uXLNOHS7id;
Received: from [] (port=20906 helo=[]) by with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <>) id 1SkiEe-0005pl-Fc for; Fri, 29 Jun 2012 14:56:12 -0600
Message-ID: <>
Date: Fri, 29 Jun 2012 13:56:11 -0700
From: =JeffH <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: IETF WebSec WG <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {} {sentby:smtp auth authed with}
Subject: Re: [websec] "This site is testing HSTS" directive (was Issue #41 add parameter indicating whether to hardfail or not)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Jun 2012 20:56:13 -0000

 > Existence of "I am testing HSTS" directive would
 > allow browsers to present debug information on HSTS succeeding/failing
 > in some form (browser logs, additional debug frame, etc.)

This "report-only"/"testing" mode notion came up in WG discussion in Paris, 
inspired in part on the "report-only" functionality in the Content Security 
Policy spec.

The way CSP handles signaling "report-only"  is via a separate header field 
("Content-Security-Policy-Report-Only"), rather than as a directive.

Given that HSTS as presently specified is implemented in several browsers 
(Chrome, Firefox, Opera12beta), and deployed by a number of sites, we suggest 
finishing up the HSTS spec as is.

Then, if there's interest and energy to define a "report-only"/"testing" mode, 
a fairly simple follow-on spec could be written leveraging the original HSTS 
spec and defining just what's needed for this.