Make `strict-transport-security` rule take into consideration TLD-level HSTS

[alrra]

From https://security.googleblog.com/2017/09/broadening-hsts-to-secure-more-of-web.html

... The use of TLD-level HSTS allows such namespaces to be secure by default. Registrants receive guaranteed protection for themselves and their users simply by choosing a secure TLD for their website and configuring an SSL certificate, without having to add individual domains or subdomains to the HSTS preload list. Moreover, since it typically takes months between adding a domain name to the list and browser upgrades reaching a majority of users, using an already-secured TLD provides immediate protection rather than eventual protection. Adding an entire TLD to the HSTS preload list is also more efficient, as it secures all domains under that TLD without the overhead of having to include all those domains individually.

We hope to make some of these secure TLDs available for registration soon, and would like to see TLD-wide HSTS become the security standard for new TLDs.

[alrra]

It seems Firefox will pick this up too.

[molant]

Copying @alrra's comment from #699:

---

From https://textslashplain.com/2017/12/05/strict-transport-security-for-dev/:

Chrome 63, shipping to the stable channel in the coming days, things have changed. Chrome has added .dev to the HSTS Preload list (along with the .foo, .page, .app, and .chrome TLDs)

---

See also: https://cs.chromium.org/chromium/src/net/http/transport_security_state_static.json?maxsize=9259190&l=278-286