Prevent preloading a domain if its TLD is preloaded

chromium / hstspreload

🔒🔍 A Go package to scan sites against requirements for Chromium-maintained HSTS preload list.

https://hstspreload.org

BSD 3-Clause "New" or "Revised" License

116 stars 37 forks source link

Prevent preloading a domain if its TLD is preloaded #113

Open nharper opened 5 years ago

nharper commented 5 years ago

There are a few .app domains on the preload list, but the entire app TLD is preloaded. We should reject these submissions because they're already covered by the TLD entry.

lgarron commented 5 years ago

I considered doing his a while back, but it wasn't a priority because the UI actually doesn't give you a submit button for .app domains (plus it doesn't hurt security and is easy to fix after the fact). So it seems that some people are doing direct submissions using the API?

In any case, I've moved the issue to https://github.com/chromium/hstspreload because policy is handled in this repo; feel free to move back if you prefer!

jayvdb commented 4 years ago

I did a bit of overlap analysis at https://bugs.chromium.org/p/chromium/issues/detail?id=1063664 - many are TLD, but there are quite a few overlaps which are not against the TLD.