Closed hannob closed 6 years ago
ivanr
commented
6 years ago That's a good point. I agree that the owner should be made aware, and either submit their web site for preloading or remove the preload directive. If you happen to have a report with one of these handy, please add it as a comment. Having it would make the implementation slightly easier. Thanks.
hannob
commented
6 years ago I have setup a test host at preload.tlsfun.de in case that helps.
ivanr
commented
6 years ago This is done. The warning is not going to show on preload.tlsfun.de because the preload keyword has no effect on a hostname that's not TLD+1. But see below what the warning looks like:
Thanks!
I occasionally see pages that have an HSTS header with preload, but aren't actually in the preload list.
While these can obviously be from cases where people have just submitted their host to the preload list, I guess in many cases it's that they copied the HSTS header from somewhere without actually knowing what preload means. This can also introduce risks, as someone else may submit that page to the preload list and it gets added without the owner of the domain being aware that this happens and what it means.
I think it'd be thus a good idea to show a warning when a page sets preload in the HSTS header and isn't actually in the preload list.