On Aug 9, 2014, at 8:46 PM, Eric Lawrence <[email protected]> wrote:
> > The best scenario, of course, is if a site's HSTS policy is pre-deployed to > the browser These things tend to work for big sites (Facebook, bank of america, Amazon) and not so well for smaller sites. I wonder if a good modification to HSTS would be to have an “includeParent” directive. Of course we can’t let a subdomain specify a policy for a parent domain, but it could serve as a hint, triggering the UA to probe the parent domain as you suggested. That said, this is yet more evidence that cookies are hopelessly broken. Yoav (not wearing any hats) _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
