12 comments

[ 934 ms ] story [ 1035 ms ] thread
Bad title. Should be "Google Chrome to block HTTP file downloads on HTTPS origins."
This matters. I was mad at chrome till I read this comment.
And in ten years, I'm sure they'll ban HTTP altogether.

This is unacceptable, IMHO. I was trying to use a site with misconfigured HSTS the other day, and it wouldn't let me. No override, no nothing. That's just offensive. If it gives me a warning, fine. But when it outright tells you, "no I know better than you and I'm going to be smug about it," then this has gone too far.

Browsers are "user-agents," meaning they act on behalf of the user. If they do not do this, they are not browsers anymore.

This is the documented standard behavior [1]. You’ll find all conforming browsers do this.

[1]: https://tools.ietf.org/html/rfc6797#section-12.1

That makes total sense.

"If a web application issues an HSTS Policy, then it is implicitly opting into the "no user recourse" approach, thereby all certificate errors or warnings cause a connection termination, with no chance to "fool" users into making the wrong decision and compromising themselves."

If the standard told you to jump off a bridge, would you do it?

The standard is idiotic. Which part of "user agent" don't they understand?

> No override, no nothing.

In what browser? I'm not aware of any that have no override.

Google Chrome has been removing over-rides since forever.
But the override hasn't been removed.
Firefox, Chrome. Are there any others?
Chrome definitely has a relatively simple override, Firefox's is a tad bit more annoying.