> Clients who do not wish to connect via HTTPS but HTTP can just ignore > the STS-header, but browsers who can could expose a configuration > setting for the user to determine how to behave when being confronted > with a HSTS-header in an HTTP-context. > > This would completely rid us from the need for extensions like "HTTPS > Everywhere" and we would still keep HTTPS optional.
With HTTPS Everywhere *the user* gets to decide when to use https. With all http based solutions anybody between you and the legit server will decide whether you get to use https or not.
