-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
How should we handle HSTS headers and HTTP redirects in the redirect chain? #206
Comments
I believe that credit for a domain should only be given in cases where the STS header is for that domain, or in the case of a subdomain, if a superdomain serves an STS header with the |
I don't think we currently check superdomains to see if they include the includeSubDomains directive.
Yes, #193 already only gives credit if the original domain uses HSTS, but allows for that to be later on in the redirect chain on the same domain. I think the question here is if a domain should get credit for HSTS when it uses HSTS itself, but then redirects to other domains that don't use HSTS. In that case, should the original domain's credit for HSTS be removed? |
馃悰 Bug Report
The current pshtt logic that examines the HSTS headers gives credit if any HSTS header encountered in the redirect chain involves the initial endpoint/hostname. If the redirect chain goes on to send the user to an HTTP URL on an entirely different domain for which the browser has never seen an HSTS header, then it seems to me that the user is not being protected by the HSTS header.
How should we handle this case?
Please also see the discussion here in #193.
The text was updated successfully, but these errors were encountered: