net/http: http.Transport: support HSTS (Strict-Transport-Security)

[StalkR]

Hello,

It doesn't seem that net/http's http.Transport supports HSTS (HTTP Strict-Transport-Security, http://tools.ietf.org/html/rfc6797). Is it something we could add?

Initially, I'm thinking just the http->https upgrade bit and not certificate pins. Also, just dynamic mode and not static configuration like Chromium has.
That is: if we receive an HSTS header we remember it in the current http.Transport and upgrade any future http request to https, but terminating the program means we forget about it.

[bradfitz]

This doesn't seem relevant to the net/http package because we don't receive raw user strings like foo.com in an Omnibar from Chrome or Firefox. We work in terms of complete URLs, so it's up to the calling application to do HSTS if they want.

Plus, any HSTS state should usually persist longer than the lifetime of a given Go process, so it necessarily involves writing state somewhere, which is outside the scope of the net/http package.

Tentatively closing this bug, unless I'm convinced otherwise.

/cc @agl for opinions, if any.