|
|
|
|
|
|
by wolfgang42
392 days ago
|
|
|
I assume a big reason is cookies, which are specced to be shared across the two versions: an attacker could relatively trivially trigger a request to http://example.com. which would get example.com's cookies, but not the HSTS upgrade that would prevent them from being sent in plaintext. |
|
|