Confirmed users
299
edits
Privacy/Features/HSTS Preload List: Difference between revisions
Privacy/Features/HSTS Preload List (view source)
Revision as of 17:45, 11 April 2013
, 11 April 2013no edit summary
No edit summary |
No edit summary |
||
| Line 29: | Line 29: | ||
If we stand up a service, it should be polled pretty regularly. | If we stand up a service, it should be polled pretty regularly. | ||
Google maintains a list in their Chrome source (https://src.chromium.org/viewvc/chrome/trunk/src/net/ | Google maintains a list in their Chrome source (https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json -- look for mode=force-https). We can use this list, since Google has invested in maintaining and sharing it. | ||
Unfortunately, we can't simply take every entry in Chrome's list with mode:"force-https". This is mostly due to chart.apis.google.com being unable to handle https, which conflicts with the apis.google.com (includeSubdomains=true) entry. Additionally, many sites on that list do not even send an HSTS header, or send one that is short-lived (e.g. www.paypal.com sends a header that expires in 4 hours). | Unfortunately, we can't simply take every entry in Chrome's list with mode:"force-https". This is mostly due to chart.apis.google.com being unable to handle https, which conflicts with the apis.google.com (includeSubdomains=true) entry. Additionally, many sites on that list do not even send an HSTS header, or send one that is short-lived (e.g. www.paypal.com sends a header that expires in 4 hours). | ||