Unlike HPKP this isn't considered a foot gun because you can fix it by just enabling HTTPS, and why didn't you have HTTPS anyway? If you set HSTS and then subsequently remove HTTPS from a site it should (will for Firefox, kind of for Chrome) brick wall you, saying that it isn't able to reach the HTTPS site without offering to let you see the insecure and perhaps compromised HTTP site even if you spell out the HTTP URL. The rationale is that you definitely shouldn't be using insecure forms, what could you possibly be writing where you really don't care about at least confidentiality (to prevent eavesdroppers from reading it) or integrity (to prevent a MitM from changing it) ? įirefox currently shows a red crossed out padlock for HTTP sites with form elements, but not yet for HTTP sites without form elements which for now get neutral treatment. Among other things, the judge held that users could sue for breach of contract if Facebook violated its privacy policy. For instance, a class action suit against Facebook on a grab bag of claims, also related to Cambridge Analytica, recently survived a motion to dismiss. As for ways for individual consumer to sue. The California attorney general in particular would also be able to sue under the California Consumer Privacy Act once it goes into force. For example, they sued Cambridge Analytica recently. The FTC and state attorneys general can sue companies for violations of their own privacy policies, as "unfair and deceptive acts and practices". That's the main mechanism for enforcement, but there are a few additional ways it could theoretically be enforced: Depends to some extent on the actual text of the contract, which hasn't been published. As for costs to breach, that would be determined by a judge or jury based on damages suffered by Mozilla. The parties to the contract are presumably Cloudflare and Mozilla, since that page keeps mentioning their "agreement with Firefox" and "agreement with Mozilla".