Hi
How do we handle auto generated HSTS rules?
https://github.com/EFForg/https-everywhere/blob/master/src/chrome/content/rules/Onlime.ch.xml
is only enabled on Firefox, but the rule is in Firefox' preload list
too:
https://dxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSTSPrelo
It's fine to remove an auto-generated HSTS rule, if:
- Its hosts are now fully covered in the HSTS preload list.
- The secure cookie rules are not necessary (e.g. the site secures all
its cookies, *or* only sets cookies that are scoped exactly to the
covered HSTS domain).
On 05/24/2015 08:12 AM,
