Hi tav It's not just late in the process. The process is pretty much over. What you are proposing could be either an extension to HSTS, or a revision to HSTS.
Furthermore, support of HSTS is not negotiated: the server just sends the header, and the client either parses it or ignores it. There's no version negotiation. So suppose your server sends the header that you propose, there are three possible outcomes: 1. The client is old, and ignores HSTS 2. The client is current, registers HSTS, but ignores the exclusion 3. The client supports your extension. #1 and #3 are OK, but #2 (which is most of the desktop browsers in use today), means that either from.espra.com will have STS applied (bad) or that none of the subdomains will have STS (if you drop the includeSubDomains keyword - somewhat bad) As a practical matter, this is one case where backwards compatibility will cause you a lot of grief, unless you try to identify supporting implementations by user agent string. I guess the best thing would be to avoid the includeSubdomains keyword, and just have an HSTS header for each of the servers except for from.espra.com Yoav On Jan 16, 2013, at 12:57 AM, tav <[email protected]> wrote: > Hi there, > > I realise that this proposal might be rather late in the process, but > would it be possible to add a list of excluded subdomains in the STS > header? > > My use case is that I am setting up a new service which has the STS > header set so that users might have a more secure experience. However, > for the purposes of sending referrer path information to non-HTTPS > sites, I have one subdomain which does redirects over plain HTTP, e.g. > http://from.espra.com/some/referrer/path. > > In an ideal world, I would be able to set a comprehensive STS header > which excluded just that one subdomain, e.g. > > Strict-Transport-Security: max-age=31536000; includeSubDomains; > exclude=from.espra.com > > And since having an exclude implicitly suggests includeSubdomains, it > could be shortened to just: > > Strict-Transport-Security: max-age=31536000; exclude=from.espra.com > > There are, of course, alternative solutions, e.g. using another domain > for the HTTP redirect or setting STS on individual subdomains without > specifying includeSubdomains. But this seems like it would be a more > elegant and secure solution. > > Thank you for your time! > > -- > All the best, tav > > plex:espians/tav | [email protected] | +44 (0) 7809 569 369 > http://tav.espians.com | http://twitter.com/tav | skype:tavespian > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > > Email secured by Check Point _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
