[HTTPS-Everywhere] HSTS rules
Alexander Buchner
alexander.buchner at posteo.de
Thu Apr 28 11:41:07 PDT 2016
On 27.04.2016 23:40, William Budington wrote:
> I wouldn't assume all sites on the HSTS preload list have the
> include_subdomains directive set. This may be a new requirement, or
> a requirement which is standard unless some kind of special request
> is made. In these cases, domains submitted before the requirement
> changed or upon a special request may not have include_subdomains
> set. Case in point: you can see in the preload list[1] that
> 'paypal.com' does not have include_subdomains set.
>
> 1.
> https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json
This is unfortunate. I wasn't aware of this. :(
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20160428/dae6c1bf/attachment.sig>
More information about the HTTPS-Everywhere
mailing list