IMG loaded from HSTS domain on non-HTTPS site breaks siteHSTS on Amazon CloudFront from S3 originConfigure Apache to send HSTS header only in virtual hosts using HTTPSHSTS secured domain migrationIdeally, how should HSTS / SSL Everywhere / Let's encrypt work with captive Wifi portals?HSTS with canonical URL redirect in nginxUsing HSTS with Sub Domain ForwardingNginx - HSTS and Redirect non-www to wwwApache: HSTS redirection on non-standard HTTP port causes SSL errorHSTS: Is includeSubDomains on main domain sufficient?HSTS issues when redirecting to www. sub domain
Multi tool use
Dad jokes are fun
Are there any German nonsense poems (Jabberwocky)?
Variable declaraton with extra in C
Would Buddhists help non-Buddhists continuing their attachments?
Who knighted this Game of Thrones character?
Why is 'additive' EQ more difficult to use than 'subtractive'?
What did the 'turbo' button actually do?
Cardio work for Muay Thai fighters
Expected maximum number of unpaired socks
Is keeping the forking link on a true fork necessary (Github/GPL)?
Burned out due to current job, Can I take a week of vacation between jobs?
How to politely tell someone they did not hit reply all in email?
The disk image is 497GB smaller than the target device
Testing using real data of the customer
I want to know what marumaru means
“For nothing” = “pour rien”?
If I arrive in the UK, and then head to mainland Europe, does my Schengen visa 90 day limit start when I arrived in the UK, or mainland Europe?
Why does splatting create a tuple on the rhs but a list on the lhs?
What is the use case for non-breathable waterproof pants?
Using too much dialogue?
Is there a simple example that empirical evidence is misleading?
Can we assume that a hash function with high collision resistance also means highly uniform distribution?
One word for 'the thing that attracts me'?
Creating second map without labels using QGIS?
IMG loaded from HSTS domain on non-HTTPS site breaks site
HSTS on Amazon CloudFront from S3 originConfigure Apache to send HSTS header only in virtual hosts using HTTPSHSTS secured domain migrationIdeally, how should HSTS / SSL Everywhere / Let's encrypt work with captive Wifi portals?HSTS with canonical URL redirect in nginxUsing HSTS with Sub Domain ForwardingNginx - HSTS and Redirect non-www to wwwApache: HSTS redirection on non-standard HTTP port causes SSL errorHSTS: Is includeSubDomains on main domain sufficient?HSTS issues when redirecting to www. sub domain
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Would HSTS cause an entire site (browser) to redirect to its HTTPS counterpart if a single (or more) resource from an HSTS domain was inserted into a HTTP site - e.g. through an 'img' tag?
We have http://subdomain.example.com loading an image from http(s)://www.example.com and then, incorrectly, http://subdomain.example.com redirects to http(s)://subdomain.example.com (causing the page to essentially break - it doesn't load at all) when the image is loaded. If we remove the image from the HTML the site functions correctly.
Is this expected behaviour and the essence of HSTS?
Note: we see www.example.com and example.com in the browser HSTS cache/store when the site loads the image. Clearing this causes the site to work fine, but subsequent reloads of the page then break (assuming because the browser has identified the HSTS once, and subsequent calls will then redirect following the HSTS policy/nature).
hsts
edited May 10 at 3:13
Michael Hampton♦
178k27322655
asked May 10 at 1:37
KinnectusKinnectus
235110
add a comment |
Would HSTS cause an entire site (browser) to redirect to its HTTPS counterpart if a single (or more) resource from an HSTS domain was inserted into a HTTP site - e.g. through an 'img' tag?
We have http://subdomain.example.com loading an image from http(s)://www.example.com and then, incorrectly, http://subdomain.example.com redirects to http(s)://subdomain.example.com (causing the page to essentially break - it doesn't load at all) when the image is loaded. If we remove the image from the HTML the site functions correctly.
Is this expected behaviour and the essence of HSTS?
Note: we see www.example.com and example.com in the browser HSTS cache/store when the site loads the image. Clearing this causes the site to work fine, but subsequent reloads of the page then break (assuming because the browser has identified the HSTS once, and subsequent calls will then redirect following the HSTS policy/nature).
hsts
edited May 10 at 3:13
Michael Hampton♦
178k27322655
asked May 10 at 1:37
KinnectusKinnectus
235110
That depends. What have you set the headers to?
– Michael Hampton♦
May 10 at 3:09
Thanks for the reply. I haven't set the headers but a quick look at the domain on a HSTS checker has a clue "includeSubDomains".
– Kinnectus
May 10 at 4:29
Yes, that would do it.
– Michael Hampton♦
May 10 at 4:30
I had an epiphany to check that, in the middle of the night, when I was up tending to one of my kids who decided to wake up at 2am... Thank you for your quick responses
– Kinnectus
May 10 at 4:36
add a comment |
Would HSTS cause an entire site (browser) to redirect to its HTTPS counterpart if a single (or more) resource from an HSTS domain was inserted into a HTTP site - e.g. through an 'img' tag?
We have http://subdomain.example.com loading an image from http(s)://www.example.com and then, incorrectly, http://subdomain.example.com redirects to http(s)://subdomain.example.com (causing the page to essentially break - it doesn't load at all) when the image is loaded. If we remove the image from the HTML the site functions correctly.
Is this expected behaviour and the essence of HSTS?
Note: we see www.example.com and example.com in the browser HSTS cache/store when the site loads the image. Clearing this causes the site to work fine, but subsequent reloads of the page then break (assuming because the browser has identified the HSTS once, and subsequent calls will then redirect following the HSTS policy/nature).
hsts
edited May 10 at 3:13
Michael Hampton♦
178k27322655
asked May 10 at 1:37
KinnectusKinnectus
235110
Would HSTS cause an entire site (browser) to redirect to its HTTPS counterpart if a single (or more) resource from an HSTS domain was inserted into a HTTP site - e.g. through an 'img' tag?
We have http://subdomain.example.com loading an image from http(s)://www.example.com and then, incorrectly, http://subdomain.example.com redirects to http(s)://subdomain.example.com (causing the page to essentially break - it doesn't load at all) when the image is loaded. If we remove the image from the HTML the site functions correctly.
Is this expected behaviour and the essence of HSTS?
Note: we see www.example.com and example.com in the browser HSTS cache/store when the site loads the image. Clearing this causes the site to work fine, but subsequent reloads of the page then break (assuming because the browser has identified the HSTS once, and subsequent calls will then redirect following the HSTS policy/nature).
hsts
hsts
edited May 10 at 3:13
Michael Hampton♦
178k27322655
asked May 10 at 1:37
KinnectusKinnectus
235110
edited May 10 at 3:13
Michael Hampton♦
178k27322655
asked May 10 at 1:37
KinnectusKinnectus
235110
edited May 10 at 3:13
Michael Hampton♦
178k27322655
edited May 10 at 3:13
Michael Hampton♦
178k27322655
edited May 10 at 3:13
Michael Hampton♦
178k27322655
178k27322655
asked May 10 at 1:37
KinnectusKinnectus
235110
asked May 10 at 1:37
KinnectusKinnectus
235110
asked May 10 at 1:37
KinnectusKinnectus
235110
235110
That depends. What have you set the headers to?
– Michael Hampton♦
May 10 at 3:09
Thanks for the reply. I haven't set the headers but a quick look at the domain on a HSTS checker has a clue "includeSubDomains".
– Kinnectus
May 10 at 4:29
Yes, that would do it.
– Michael Hampton♦
May 10 at 4:30
I had an epiphany to check that, in the middle of the night, when I was up tending to one of my kids who decided to wake up at 2am... Thank you for your quick responses
– Kinnectus
May 10 at 4:36
add a comment |
That depends. What have you set the headers to?
– Michael Hampton♦
May 10 at 3:09
Thanks for the reply. I haven't set the headers but a quick look at the domain on a HSTS checker has a clue "includeSubDomains".
– Kinnectus
May 10 at 4:29
Yes, that would do it.
– Michael Hampton♦
May 10 at 4:30
I had an epiphany to check that, in the middle of the night, when I was up tending to one of my kids who decided to wake up at 2am... Thank you for your quick responses
– Kinnectus
May 10 at 4:36
That depends. What have you set the headers to?
– Michael Hampton♦
May 10 at 3:09
That depends. What have you set the headers to?
– Michael Hampton♦
May 10 at 3:09
Thanks for the reply. I haven't set the headers but a quick look at the domain on a HSTS checker has a clue "includeSubDomains".
– Kinnectus
May 10 at 4:29
Thanks for the reply. I haven't set the headers but a quick look at the domain on a HSTS checker has a clue "includeSubDomains".
– Kinnectus
May 10 at 4:29
Yes, that would do it.
– Michael Hampton♦
May 10 at 4:30
Yes, that would do it.
– Michael Hampton♦
May 10 at 4:30
I had an epiphany to check that, in the middle of the night, when I was up tending to one of my kids who decided to wake up at 2am... Thank you for your quick responses
– Kinnectus
May 10 at 4:36
I had an epiphany to check that, in the middle of the night, when I was up tending to one of my kids who decided to wake up at 2am... Thank you for your quick responses
– Kinnectus
May 10 at 4:36
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f966659%2fimg-loaded-from-hsts-domain-on-non-https-site-breaks-site%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f966659%2fimg-loaded-from-hsts-domain-on-non-https-site-breaks-site%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
V3UhB5s 0v1prQ7od1bCd FO8S0Kl9Q4IgDqMLTj gcXiygMij,yh9n,XDe0SBBNrHbPFMX
That depends. What have you set the headers to?
– Michael Hampton♦
May 10 at 3:09
Thanks for the reply. I haven't set the headers but a quick look at the domain on a HSTS checker has a clue "includeSubDomains".
– Kinnectus
May 10 at 4:29
Yes, that would do it.
– Michael Hampton♦
May 10 at 4:30
I had an epiphany to check that, in the middle of the night, when I was up tending to one of my kids who decided to wake up at 2am... Thank you for your quick responses
– Kinnectus
May 10 at 4:36