Currently, Dev Tools exposes the internal implementation detail of how Chrome handles HSTS and lists a request to the http:// site with a "307 Internal Redirect" entry. (In Issue 863617 , this caused confusion about possible plaintext requests to google.com.) For users who don't understand the internal implementation in Chrome, this may be unnecessarily confusing when setting up HSTS on their sites.
I know in the full network event log these are annotated with "Non-Authoritative-Reason: HSTS". While we might not want to completely gloss over that this internal redirect occurs, would there be a good way to expose that this is expected as part of HSTS in Dev Tools at least?
I've attached a screenshot of what this currently looks like, and steps for reproducing it.
Chrome Version: 69.0.3491.0 (Developer Build) (64-bit)
What steps will reproduce the problem?
(1) Open Dev Tools Network panel
(2) Navigate to http://preloaded-hsts.badssl.com
(3) See a request to "http://preloaded-hsts.badssl.com" with a "307 Internal Redirect" status.
|
Deleted:
devtools-hsts-redirect.png
135 KB
|
Comment 1 by cthomp@chromium.org
, Jul 17