#4: Clarify that HSTS policy applies to entire host (all ports)
Comment(by jeff.hodges@…): http://www.ietf.org/mail-archive/web/websec/current/msg00041.html Subject: [websec] HSTS -- what about ports? From: Daniel Veditz <[email protected]> Date: Sat, 20 Nov 2010 22:29:48 -0800 To: [email protected] The HSTS spec needs to be more clear about how to handle multiple servers running on different ports on the same host. I think, by referring to host name matching only, that the intent of the spec is that a server running on any port can set HSTS behavior for every other port on that host. If this is correct it might be clearer to rename "HSTS Server" to "HSTS Host" and to somewhere in the spec mention explicitly that the port is ignored when matching host names. An alternate behavior would be that a server running on port X only specifies the behavior for that port, with a special case for the default ports 80/443 because they go unspecified. This would make sense from a security POV only if cookies were port-specific (with again a special case for the unspecified default ports), but I don't believe any browser implements cookies in that way. Handling HSTS in a port-specific manner also complicates the meaning of includeSubDomains. ### -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: Active WG Document | Keywords: -------------------------------------------+-------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/4#comment:2> websec <http://tools.ietf.org/websec/> _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
