Re: [websec] "This site is testing HSTS" directive (was Issue #41 add parameter indicating whether to hardfail or not)

Tobias Gondrom <> Sat, 30 June 2012 15:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6E4D621F85A0 for <>; Sat, 30 Jun 2012 08:23:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -99.514
X-Spam-Status: No, score=-99.514 tagged_above=-999 required=5 tests=[AWL=-2.736, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jWVq9Imn67zX for <>; Sat, 30 Jun 2012 08:23:15 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CAA3C21F859E for <>; Sat, 30 Jun 2012 08:23:14 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=nPYfwutcrA+8LJN5jz2yNsKel0v15KBLP+Pc9d8+bvuLu156IjhXGxuZ3/Ch3OusUgTLjyRPx3ZpyoS5VHj5ClevMYyA+ubc/nkPh4r5XnZyd2V8Da7BjU0/yIeKw8Bu; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Received: (qmail 21904 invoked from network); 30 Jun 2012 17:23:14 +0200
Received: from (HELO ? ( by with (DHE-RSA-AES256-SHA encrypted) SMTP; 30 Jun 2012 17:23:14 +0200
Message-ID: <>
Date: Sat, 30 Jun 2012 16:23:13 +0100
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] "This site is testing HSTS" directive (was Issue #41 add parameter indicating whether to hardfail or not)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 30 Jun 2012 15:23:15 -0000

I tend to agree with Jeff and Andy's comments.

The real use case / need for "report-only" is not fully clear to me.
Yes, it could always be nice to have one more test-case to run before 
going life with a system, but IMHO I am having a hard time seeing where 
this flag would really add value.
And we should not add features (and complexity) as for "report-only" to 
an I-D just for the sake of it and because they might one day be 
possibly help for an unclear or theoretical use-case.

Just my 5cents.

Best regards, Tobias

On 29/06/12 21:56, =JeffH wrote:
> > Existence of "I am testing HSTS" directive would
> > allow browsers to present debug information on HSTS succeeding/failing
> > in some form (browser logs, additional debug frame, etc.)
> This "report-only"/"testing" mode notion came up in WG discussion in 
> Paris, inspired in part on the "report-only" functionality in the 
> Content Security Policy spec.
> The way CSP handles signaling "report-only"  is via a separate header 
> field ("Content-Security-Policy-Report-Only"), rather than as a 
> directive.
> Given that HSTS as presently specified is implemented in several 
> browsers (Chrome, Firefox, Opera12beta), and deployed by a number of 
> sites, we suggest finishing up the HSTS spec as is.
> Then, if there's interest and energy to define a 
> "report-only"/"testing" mode, a fairly simple follow-on spec could be 
> written leveraging the original HSTS spec and defining just what's 
> needed for this.
> =JeffH
> _______________________________________________
> websec mailing list