yoavweiss
commented
1 year ago ^^ @clelland
Closed neilstuartcraig closed 1 year ago
yoavweiss
commented
1 year ago ^^ @clelland
clelland
commented
1 year ago The superdomain match that is used in Choose a policy for an origin should accept any higher ancestor. If it's not doing that, that might be an implementation bug.
neilstuartcraig
commented
1 year ago Thanks @clelland - that is exactly what I needed to know. It would be great to have that in the spec, should I perhaps open a PR on the spec to add a similar explainer sentence?
clelland
commented
1 year ago Absolutely! If there is wording that you feel would help make it clear, definitely file a PR and I'll merge it.
neilstuartcraig
commented
1 year ago Sorry if I am being dim @clelland but I am unsure where to create a PR. Feels like it could be added in the explainer doc which I can easily do but I don't see where I should raise a PR on the spec itself - or is that done some other way? Pointers would be much appreciated! Ta.
clelland
commented
1 year ago No worries! The spec is written with ReSpec, so index.html is the spec itself. (It gets published directly to https://w3c.github.io/network-error-logging/)
neilstuartcraig
commented
1 year ago No worries! The spec is written with ReSpec, so index.html is the spec itself. (It gets published directly to https://w3c.github.io/network-error-logging/)
Sorry for the delay, busy times! I've just created #137 - I think it's that simple(?). I tried hard to keep the text succint, hope it's ok.
neilstuartcraig
commented
1 year ago Since the additional wording is now merged, i'll close this issue.
We had a live website issue last night in which a TLS cert signed by an internal CA rather than the public CA was issued and applied. The cert was for a 2-layers deep subdomain, e.g. a.service.example.com on a globally busy website. We have NEL applied (with 1 month max-age) on the apex (example.com) but not currently on the a.service.example.com itself.
We do have NEL alerts configured, including a specific alert for TLS issues which should have picked this up but it didn't fire despite the incident lasting several hours.
Having looked into why we didn't see an alert (or indeed any increase at all in NEL TLS reports), we checked the section of the spec which covers the include_subdomains directive and noticed it doesn't (assuming we didn't miss it) specify whether the NEL policy should propagate through multiple layers of subdomains or not so I wondered if this could be clarified in the spec to help implementers be consistent and folks to triage this sort of incident. IMO, it'd be good and logical for NEL to include any number of layers of subdomains if
include_subdomainsistrue.Hope that all makes sense. Cheers