[HTTPS-Everywhere] HSTS rules

[William Budington]

On Wed, 27 Apr 2016 14:24:24 -0700, Jacob Hoffman-Andrews wrote:
> 
> On 04/27/2016 01:53 PM, Alexander Buchner wrote:
> > If a site is in the HSTS preload list, it has set the
> > includeSubDomains directive, since this is a requirement to get into
> > the list. So I understand that for sites where the browser has the
> > HSTS flag with includeSubdomains it shouldn't matter if the cookies
> > have the secure flag or not since there is no way for them to get sent
> > over http, right? So having rules for sites which are already on the
> > HSTS preload list seems to be unnecessary to me and we could/should
> > delete them.
> I agree. I wasn't aware of the includeSubDomains requirement to get on
> the preload list when I wrote this message. I assume that applies to
> both Chrome and FF?

I wouldn't assume all sites on the HSTS preload list have the include_subdomains directive set.  This may be a new requirement, or a requirement which is standard unless some kind of special request is made.  In these cases, domains submitted before the requirement changed or upon a special request may not have include_subdomains set.  Case in point: you can see in the preload list[1] that 'paypal.com' does not have include_subdomains set.

1. https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json

> 
> Also, FWIW: We did a batch deletion last year of a large-ish number
> (~200) of rulesets that were originally autogenerate from HSTS preload
> lists. The remaining rulesets that overlap with HSTS should be
> relatively few in absolute size, although there is still some value in
> removing them, because if they have complex rewrites, those could cause
> bugs.
> 




> _______________________________________________
> HTTPS-Everywhere mailing list
> HTTPS-Everywhere at lists.eff.org
> https://lists.eff.org/mailman/listinfo/https-everywhere