Hello, The current HSTS spec draft says "A max-age value of zero (i.e., "max-age=0") signals the UA to cease regarding the host as a Known HSTS Host." (section 6.1.1) How does this interact with the includeSubdomains directive? For instance, if the UA receives an HSTS header with includeSubdomains from example.com but then receives an HSTS header with max-age=0 from sub.example.com, is sub.example.com to be noted as an HSTS host? Either way, I believe the language of the spec could be a bit more clear.
Cheers, David Keeler _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
