Drop HSTS Preloading

README.md

@@ -113,7 +113,6 @@ The HTTPX project relies on these excellent libraries:
   * `h2` - HTTP/2 support.
 * `certifi` - SSL certificates.
 * `chardet` - Fallback auto-detection for response encoding.
-* `hstspreload` - determines whether IDNA-encoded host should be only accessed via HTTPS.
 * `idna` - Internationalized domain name support.
 * `rfc3986` - URL parsing & normalization.
 * `sniffio` - Async library autodetection.

docs/index.md

@@ -111,7 +111,6 @@ The HTTPX project relies on these excellent libraries:
   * `h2` - HTTP/2 support.
 * `certifi` - SSL certificates.
 * `chardet` - Fallback auto-detection for response encoding.
-* `hstspreload` - determines whether IDNA-encoded host should be only accessed via HTTPS.
 * `idna` - Internationalized domain name support.
 * `rfc3986` - URL parsing & normalization.
 * `sniffio` - Async library autodetection.

httpx/_client.py

@@ -2,7 +2,6 @@
 import typing
 from types import TracebackType
 
-import hstspreload
 import httpcore
 
 from ._auth import Auth, BasicAuth, FunctionAuth
@@ -209,15 +208,7 @@ def _merge_url(self, url: URLTypes) -> URL:
         Merge a URL argument together with any 'base_url' on the client,
         to create the URL used for the outgoing request.
         """
-        url = self.base_url.join(relative_url=url)
-        if (
-            url.scheme == "http"
-            and hstspreload.in_hsts_preload(url.host)
-            and len(url.host.split(".")) > 1
-        ):
-            port = None if url.port == 80 else url.port
-            url = url.copy_with(scheme="https", port=port)
-        return url
+        return self.base_url.join(relative_url=url)
 
     def _merge_cookies(
         self, cookies: CookieTypes = None

setup.cfg

@@ -14,7 +14,7 @@ check_untyped_defs = True
 profile = black
 combine_as_imports = True
 known_first_party = httpx,tests
-known_third_party = brotli,certifi,chardet,cryptography,hstspreload,httpcore,pytest,rfc3986,setuptools,sniffio,trio,trustme,uvicorn
+known_third_party = brotli,certifi,chardet,cryptography,httpcore,pytest,rfc3986,setuptools,sniffio,trio,trustme,uvicorn
 
 [tool:pytest]
 addopts = --cov=httpx --cov=tests -rxXs

setup.py

@@ -56,7 +56,6 @@ def get_packages(package):
     zip_safe=False,
     install_requires=[
         "certifi",
-        "hstspreload",
         "sniffio",
         "chardet==3.*",
         "idna==2.*",

tests/client/test_client.py

@@ -175,25 +175,10 @@ def test_base_url(server):
 
 
 def test_merge_url():
-    client = httpx.Client(base_url="https://www.paypal.com/")
-    request = client.build_request("GET", "http://www.paypal.com")
-    assert request.url.scheme == "https"
-    assert request.url.is_ssl
-
-
-@pytest.mark.parametrize(
-    "url,scheme,is_ssl",
-    [
-        ("http://www.paypal.com", "https", True),
-        ("http://app", "http", False),
-        ("http://192.168.1.42", "http", False),
-    ],
-)
-def test_merge_url_hsts(url: str, scheme: str, is_ssl: bool):
-    client = httpx.Client()
-    request = client.build_request("GET", url)
-    assert request.url.scheme == scheme
-    assert request.url.is_ssl == is_ssl
+    client = httpx.Client(base_url="https://www.example.com/")
+    request = client.build_request("GET", "http://www.example.com")
+    assert request.url.scheme == "http"
+    assert not request.url.is_ssl
 
 
 def test_pool_limits_deprecated():