[snug]

To be RFC compliant, it MUST NOT allow the user to ignore the errors.

   12.1.  No User Recourse

   Failing secure connection establishment on any warnings or errors
   (per Section 8.4 ("Errors in Secure Transport Establishment")) should
   be done with "no user recourse".  This means that the user should not
   be presented with a dialog giving her the option to proceed.  Rather,
   it should be treated similarly to a server error where there is
   nothing further the user can do with respect to interacting with the
   target web application, other than wait and retry.

   Essentially, "any warnings or errors" means anything that would cause
   the UA implementation to announce to the user that something is not
   entirely correct with the connection establishment.

   Not doing this, i.e., allowing user recourse such as "clicking
   through warning/error dialogs", is a recipe for a man-in-the-middle
   attack.  If a web application issues an HSTS Policy, then it is
   implicitly opting into the "no user recourse" approach, whereby all
   certificate errors or warnings cause a connection termination, with
   no chance to "fool" users into making the wrong decision and
   compromising themselves.

https://tools.ietf.org/html/rfc6797#section-12.1

[paulddraper]

Well I suppose curl/wget will never be RFC compliant user agents (curl -k, wget --no-check-certificate).

But somehow I think they'll still be used...

[aaronmdjones]

wget writes a ~/.wget-hsts file with the HSTS information for any URI you have accessed that served an HSTS header.

Making it ignore --no-check-certificate if the file has an entry for the hostname you are visiting should be trivial, if it hasn't been done already.

[paulddraper]

Exactly.