Tobias wrote:
>
> Would agree with Adam.
agreed -- what Adam relates is how the spec and the implementations have worked
for ages.
> And for Brian, I think there is actually one more use case that you
> haven't considered:
> Look at it in reverse order:
> 1. We visit https://sub.example.com and receive HSTS with max-age=1234567890
> 2. We visit https://example.com and receive HSTS with max-age=0 ;
> includeSubdomains
>
> as far as I remember that would actually clear HSTS for sub.example.com?
No, it would not do so. As Adam said, the user agent maintains a list of
distinct host names which have issued the HSTS Policy (aka STS header field).
The above scenario would result in no entry for example.com, and an entry for
sub.example.com
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
