On 2018-01-02 05:39, Alain Wolf wrote:
So I figured it might be left as an exercise to the user to disable HSTS in his browser. Because if he lives or works behind such a proxy he will be barred from more then half of the worlds websites by the end of the year.
It also occurs to me that a user who is blocked from using HTTPS won't see the HSTS header delivered over HTTPS at all. Therefore as long as you don't force a redirect from HTTP to HTTPS for your mirror's hostname, the mirror should more or less "just work" even for users who 1) honor HSTS, and 2) have previously visited your bare domain or www.
Users who can't use HTTPS will likely (hopefully?) be aware of how to disable HSTS, although it would be a shame if the technical knowledge to reconfigure one's existing browser became a requirement to download Tor.
Either way, I doubt a couple of mirrors make much difference, but I feel it's worth discussing the relative merits as though all mirrors were to make changes.