The way the implementation in Chrome works is that max-age=0 only clears the entry for that particular host name. If there's another shorter host name with includeSubdomains, that isn't affected.
Adam On Mon, Aug 13, 2012 at 3:16 PM, David Keeler <[email protected]> wrote: > Hello, > > The current HSTS spec draft says "A max-age value of zero (i.e., > "max-age=0") signals the UA to cease regarding the host as a Known HSTS > Host." (section 6.1.1) How does this interact with the includeSubdomains > directive? > For instance, if the UA receives an HSTS header with includeSubdomains > from example.com but then receives an HSTS header with max-age=0 from > sub.example.com, is sub.example.com to be noted as an HSTS host? > Either way, I believe the language of the spec could be a bit more clear. > > Cheers, > David Keeler > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
